[strongSwan] executing updown script when IKE is created and deleted

Nimo gnimozyu at gmail.com
Fri Aug 18 06:54:18 CEST 2017


Hi,

I'm using strongSwan 5.5.3 with following condition:
- kernel3.10.104
- client is Windows7. Type of VPN is IKEv2, authentication is "Use machine
certificates"
- ipsec.conf
--------------------------
conn win_client
        left            = %defaultroute
        leftauth        = pubkey
        leftcert        = serverCert.pem
        leftsubnet      = 0.0.0.0/0
        leftid          = @test.xxx.yyy.net
        right           = %any
        rightsourceip   = %range1
        rightid         = "C=JA, O=test.xxx.yyy.net, CN=*"
        rightdns        = 8.8.8.8,8.8.4.4
        fragmentation   = yes
        keyexchange     = ikev2
        ike             = aes256-sha1-modp1024!
        esp             = aes256-sha1!
        rekey           = no
        leftupdown      = "/usr/bin/updown.sh"
        auto            = add
--------------------------

IKE and CHILD_SA was established and communication works fine.
But, if no traffic is sent and received on Windows for several minutes, the
Windows sent informational message and CHILD_SA was closed as below:
--------------------------------------------------------------
2017-08-18 09:23:25 strongswan charon: 12[NET] sending packet: from
<strongSwan IP address>[4500] to <Windows NAT address>[54578] (204 bytes)
2017-08-18 09:31:45 strongswan charon: 09[NET] received packet: from
<Windows NAT address>[54578] to <strongSwan IP address>[4500] (76 bytes)
2017-08-18 09:31:45 strongswan charon: 09[ENC] parsed INFORMATIONAL request
6 [ D ]
2017-08-18 09:31:45 strongswan charon: 09[IKE] received DELETE for ESP
CHILD_SA with SPI bf296186
2017-08-18 09:31:45 strongswan charon: 09[IKE] closing CHILD_SA
win_client{3} with SPIs cb24106a_i (300 bytes) bf296186_o (126 bytes) and
TS 0.0.0.0/0 === 192.168.50.100/32
2017-08-18 09:31:45 strongswan charon: 09[IKE] closing CHILD_SA
win_client{3} with SPIs cb24106a_i (300 bytes) bf296186_o (126 bytes) and
TS 0.0.0.0/0 === 192.168.50.100/32
2017-08-18 09:31:45 strongswan charon: 09[IKE] sending DELETE for ESP
CHILD_SA with SPI cb24106a
2017-08-18 09:31:45 strongswan charon: 09[IKE] CHILD_SA closed
2017-08-18 09:31:45 strongswan charon: 09[ENC] generating INFORMATIONAL
response 6 [ D ]
2017-08-18 09:31:45 strongswan charon: 09[NET] sending packet: from
<strongSwan IP address>[4500] to <Windows NAT address>[54578] (76 bytes)
2017-08-18 09:35:29 strongswan charon: 09[NET] received packet: from
<Windows NAT address>[54578] to <strongSwan IP address>[4500] (252 bytes)
--------------------------------------------------------------

Then, leftupdown script was executed with "PLUTO_VERB=down-client".
But, IKE is still alive. And Windows’s adaptor status shows VPN is
connecting.
--------------------------------------------------------------
[strongswan] ~ # ipsec status
Security Associations (1 up, 0 connecting):
  win_client[2]: ESTABLISHED 21 minutes ago, <strongSwan IP address>[
test.xxx.yyy.net]...<Windows NAT address>[C=JA, O=test.xxx.yyy.net,
CN=test-perl-client1]
[strongswan] ~ #
--------------------------------------------------------------

Then, I did disconnect on Windows.
--------------------------------------------------------------
2017-08-18 13:45:31 strongswan charon: 04[NET] received packet: from
<strongSwan IP address>[4500] to <Windows NAT address>[4500] (76 bytes)
2017-08-18 13:45:31 strongswan charon: 04[ENC] parsed INFORMATIONAL request
9 [ D ]
2017-08-18 13:45:31 strongswan charon: 04[IKE] received DELETE for IKE_SA
win_client[9]
2017-08-18 13:45:31 strongswan charon: 04[IKE] deleting IKE_SA
win_client[9] between <Windows NAT address>[test.xxx.yyy.net]...<strongSwan
IP address>[C=JA, O=test.xxx.yyy.net, CN=test-perl-client1]
2017-08-18 13:45:31 strongswan charon: 04[IKE] deleting IKE_SA
win_client[9] between <Windows NAT address>[test.xxx.yyy.net]...<strongSwan
IP address>[C=JA, O=test.xxx.yyy.net.net, CN=test-perl-client1]
2017-08-18 13:45:31 strongswan charon: 04[IKE] IKE_SA deleted
2017-08-18 13:45:31 strongswan charon: 04[IKE] IKE_SA deleted
2017-08-18 13:45:31 strongswan charon: 04[ENC] generating INFORMATIONAL
response 9 [ ]
2017-08-18 13:45:31 strongswan charon: 04[NET] sending packet: from
<Windows NAT address>[4500] to <strongSwan IP address>[4500] (76 bytes....
--------------------------------------------------------------

Is there anything way to execute external script when IKE is created and
deleted ?

regards,
---
takumi kadode
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170818/8ea27e5c/attachment-0001.html>


More information about the Users mailing list