[strongSwan] IPsec XAuth reauth problems

Patrick Velder lists at velder.li
Thu May 12 13:09:32 CEST 2016 

Hi

Anyone an Idea? ;-)

Thanks and Regards
Patrick

On 30.04.2016 05:06, Patrick Velder wrote:
> Hi
>
> I just set up StrongSwan as XAuth Client for my MikroTik RouterOS Server.
> If the client connects, the connection will work for 5 minutes. Then 
> the connection to the remote networks drops.
>
> According to the log, there is a reauth:
>
>> Apr 30 03:20:24 lenovo charon: 11[NET] received packet: from 
>> 185.117.xx.xx[4500] to 192.168.251.75[4500] (324 bytes)
>> Apr 30 03:20:24 lenovo charon: 11[ENC] parsed ID_PROT response 0 [ KE 
>> No NAT-D NAT-D ]
>> Apr 30 03:20:24 lenovo charon: 11[IKE] local host is behind NAT, 
>> sending keep alives
>> Apr 30 03:20:24 lenovo charon: 11[ENC] generating ID_PROT request 0 [ 
>> ID HASH ]
>> Apr 30 03:20:24 lenovo charon: 11[NET] sending packet: from 
>> 192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
>> Apr 30 03:20:24 lenovo charon: 12[NET] received packet: from 
>> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
>> Apr 30 03:20:24 lenovo charon: 12[ENC] parsed ID_PROT response 0 [ ID 
>> HASH ]
>> Apr 30 03:20:24 lenovo charon: 08[NET] received packet: from 
>> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
>> Apr 30 03:20:24 lenovo charon: 08[ENC] parsed TRANSACTION request 
>> 2192071535 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
>> Apr 30 03:20:24 lenovo charon: 08[ENC] generating TRANSACTION 
>> response 2192071535 [ HASH CPRP(X_USER X_PWD) ]
>> Apr 30 03:20:24 lenovo charon: 08[NET] sending packet: from 
>> 192.168.251.75[4500] to 185.117.xx.xx[4500] (140 bytes)
>> Apr 30 03:20:24 lenovo charon: 04[NET] received packet: from 
>> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
>> Apr 30 03:20:24 lenovo charon: 04[ENC] parsed TRANSACTION request 
>> 3861230316 [ HASH CPS(X_STATUS) ]
>> Apr 30 03:20:24 lenovo charon: 04[IKE] XAuth authentication of 
>> 'patrick' (myself) successful
>> Apr 30 03:20:24 lenovo charon: 04[IKE] IKE_SA ipsec-zrh1[3] 
>> established between 
>> 192.168.251.75[patrick]...185.117.xx.xx[185.117.xx.xx]
>> Apr 30 03:20:24 lenovo charon: 04[IKE] scheduling reauthentication in 
>> 163s
>> Apr 30 03:20:24 lenovo charon: 04[IKE] maximum IKE_SA lifetime 703s
>> Apr 30 03:20:24 lenovo charon: 04[ENC] generating TRANSACTION 
>> response 3861230316 [ HASH CPA(X_STATUS) ]
>> Apr 30 03:20:24 lenovo charon: 04[NET] sending packet: from 
>> 192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
>> Apr 30 03:20:24 lenovo charon: 04[ENC] generating TRANSACTION request 
>> 3405112023 [ HASH CPRQ(ADDR DNS) ]
>> Apr 30 03:20:24 lenovo charon: 04[NET] sending packet: from 
>> 192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
>> Apr 30 03:20:24 lenovo charon: 09[NET] received packet: from 
>> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
>> Apr 30 03:20:24 lenovo charon: 09[ENC] parsed TRANSACTION response 
>> 3405112023 [ HASH CPRP(ADDR) ]
>> Apr 30 03:20:24 lenovo charon: 09[IKE] installing new virtual IP 
>> 10.255.4.251
>> Apr 30 03:20:25 lenovo charon: 07[IKE] sending DPD request
>> Apr 30 03:20:27 lenovo charon: 10[IKE] sending keep alive to 
>> 185.117.xx.xx[4500]
>> Apr 30 03:20:34 lenovo charon: 11[NET] received packet: from 
>> 185.117.xx.xx[4500] to 192.168.251.75[4500] (140 bytes)
>
>
> Also the virtual IP has changed. The tunnel itself stays up, but 
> according to setkey, the SA's / policy routes are not updated with the 
> new Virtual IP. I think that's the reason why the connection is not 
> working anymore (the connection does not come up again)
>
>
> Client:
>
>> conn ipsec-zrh1
>>     fragmentation=yes
>>     mobike=no
>>     keyexchange=ikev1
>>     left=%defaultroute
>>     leftauth=psk
>>     leftauth2=xauth
>>     leftid=patrick
>>     leftsourceip=%config
>>     xauth_identity=patrick
>>     right=185.117.xx.x
>>     rightsubnet=10.64.136.0/22
>>     rightauth=psk
>>     auto=start
>>     ike=aes256-sha512-modp1024!
>>     esp=aes256-sha512-modp1024!
>>     ikelifetime=1200s
>>     lifetime=3600s
>>     dpdaction=clear
>>     dpddelay=10s
>>     dpdtimeout=60s
>>     aggressive=no
>
> Version: 5.1.2 on xubuntu 14.04
>
>
> Server:
>>
>> /ip ipsec mode-config
>> add address-pool=vpn name=roadwarrior send-dns=no 
>> split-include=10.64.136.0/22
>> /ip ipsec policy group
>> add name=roadwarrior
>> /ip ipsec proposal
>> set [ find default=yes ] auth-algorithms=sha512 
>> enc-algorithms=aes-256-cbc lifetime=1h
>> /ip ipsec policy
>> add dst-address=10.64.136.0/22 group=roadwarrior 
>> src-address=10.255.4.0/24 template=yes
>> add dst-address=10.255.4.0/24 group=roadwarrior 
>> src-address=10.64.136.0/22 template=yes
>> /ip ipsec peer
>> add address=0.0.0.0/0 auth-method=pre-shared-key-xauth 
>> dpd-interval=10s enc-algorithm=aes-256 generate-policy=port-strict 
>> hash-algorithm=sha512 lifetime=20m local-address=185.117.xx.xx 
>> mode-config=roadwarrior passive=yes policy-template-group=roadwarrior 
>> secret=asecret
>> /ip ipsec user
>> add name=patrick password=anything
>> /ip pool
>> add name=vpn ranges=10.255.4.2-10.255.4.254
>
>
> RouterOS 6.34.4 on CCR1009-8G-1S-1S+
>
>
> Any Ideas what the reason is and how I can stop the IP address 
> change/disconnection? :-)
>
> Thanks and best regards
> Patrick
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list