[strongSwan] Reauthentication causes communication interruption

Igor Gatis igor at esfera5.com.br
Thu Nov 10 16:37:51 CET 2016 

I have the following setup:

[my-app] ==TLS==> [stunnel --TCP--> strongSwan] ++IPSEC++> [thirdparty-app]

Where stuff happening [within brackets] happens in the same machine.

Every once in a while, I the following log lines below. After that, according to [my-app] logs, data was sent to stunnel normally. No signs of network error. However, my-app did not received responses from [thirdparty-app]. This behavior lasted for ~20min until stunnel times out and new connection is established, making things get back to normality.

Questions:

1. Why is this happening?

2. Should reauthentication be seamless for stunnel and thirdparty-app? If answer is NO, how should stunnel behave then?


Nov 10 11:49:43 HOST1 charon: 02[IKE] reauthenticating IKE_SA VPN1[1]
Nov 10 11:49:43 HOST1 charon: 02[IKE] deleting IKE_SA VPN1[1] between xxx.xxx.xxx.xxx[yyy.yyy.yyy.yyy]...zzz.zzz.zzz.zzz[aaa.aaa.aaa.aaa]
Nov 10 11:49:43 HOST1 charon: 02[IKE] sending DELETE for IKE_SA VPN1[1]
Nov 10 11:49:43 HOST1 kernel: [3745465.531945] audit: type=1400 audit(1478778583.565:4059): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/13577/fd/" pid=13577 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 10 11:49:43 HOST1 charon: 01[IKE] IKE_SA deleted
Nov 10 11:49:43 HOST1 vpn: - aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb/32 == zzz.zzz.zzz.zzz -- xxx.xxx.xxx.xxx == ccc.ccc.ccc.ccc/28
Nov 10 11:49:43 HOST1 charon: 01[IKE] restarting CHILD_SA VPN1
Nov 10 11:49:43 HOST1 charon: 01[IKE] initiating IKE_SA VPN1[2] to zzz.zzz.zzz.zzz
Nov 10 11:49:43 HOST1 charon: 10[IKE] received Cisco Delete Reason vendor ID
Nov 10 11:49:43 HOST1 charon: 10[IKE] received Cisco Copyright (c) 2009 vendor ID
Nov 10 11:49:43 HOST1 charon: 10[IKE] received FRAGMENTATION vendor ID
Nov 10 11:49:43 HOST1 charon: 10[IKE] local host is behind NAT, sending keep alives
Nov 10 11:49:43 HOST1 charon: 10[IKE] remote host is behind NAT
Nov 10 11:49:43 HOST1 charon: 10[IKE] authentication of 'yyy.yyy.yyy.yyy' (myself) with pre-shared key
Nov 10 11:49:43 HOST1 charon: 10[IKE] establishing CHILD_SA VPN1{1}
Nov 10 11:49:44 HOST1 charon: 13[IKE] authentication of 'aaa.aaa.aaa.aaa' with pre-shared key successful
Nov 10 11:49:44 HOST1 charon: 13[IKE] IKE_SA VPN1[2] established between xxx.xxx.xxx.xxx[yyy.yyy.yyy.yyy]...zzz.zzz.zzz.zzz[aaa.aaa.aaa.aaa]
Nov 10 11:49:44 HOST1 charon: 13[IKE] scheduling reauthentication in 86150s
Nov 10 11:49:44 HOST1 charon: 13[IKE] maximum IKE_SA lifetime 86330s
Nov 10 11:49:44 HOST1 charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 10 11:49:44 HOST1 charon: 13[IKE] CHILD_SA VPN1{28} established with SPIs c5ff4cea_i 9f0d0d53_o and TS ccc.ccc.ccc.ccc/28 === bbb.bbb.bbb.bbb/32
Nov 10 11:49:44 HOST1 kernel: [3745466.048974] audit: type=1400 audit(1478778584.081:4060): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/13586/fd/" pid=13586 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 10 11:49:44 HOST1 vpn: + aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb/32 == zzz.zzz.zzz.zzz -- xxx.xxx.xxx.xxx == ccc.ccc.ccc.ccc/28

...

Nov 10 12:05:50 HOST1 stunnel: LOG3[3]: writesocket: Connection timed out (110)
Nov 10 12:05:50 HOST1 stunnel: LOG5[3]: Connection reset: 2186222 byte(s) sent to SSL, 721569 byte(s) sent to socket
Nov 10 12:05:50 HOST1 stunnel: LOG5[12]: Service [VPN1] accepted connection from ddd.ddd.ddd.ddd:50204
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: SSL accepted: new session negotiated
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: No peer certificate received
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES256-SHA (256-bit encryption)
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: s_connect: connecting bbb.bbb.bbb.bbb:10062
Nov 10 12:05:50 HOST1 stunnel: LOG5[12]: s_connect: connected bbb.bbb.bbb.bbb:10062
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: persistence: bbb.bbb.bbb.bbb:10062 cached
Nov 10 12:05:50 HOST1 stunnel: LOG5[12]: Service [VPN1] connected remote server from xxx.xxx.xxx.xxx:60098


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161110/2524726a/attachment.html>

More information about the Users mailing list