[strongSwan] roadwarrior IKEv2 PSK reauthentication issue

Lars Alex Pedersen laa at kamstrup.com
Sat Jun 10 08:08:09 CEST 2017 

Thanks for your response.

We have looked into make-before-break and somehow decided to not use it, so
I'll look into that again. Ipsec stroke leases gives a "no pools found" on a
strongswan 5.3.5. We are using following ipsec.conf, but without TFC since
it isn't supported in pfsense.

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        #charondebug="cfg 4, dmn 4, ike 4, net 4"
        charondebug="cfg 1, dmn 2, ike 1"

conn %default
        ikelifetime=28800s
        lifetime=10800s
        margintime=600s
        keyingtries=1
        keyexchange=ikev2
        type=tunnel
        dpdaction=clear
        dpddelay=900s
        ike=aes256gcm128-sha512-ecp512bp,aes256gcm128-sha512-ecp521!
        esp=aes256gcm128-ecp512bp,aes256gcm128-ecp521,aes128gcm128-ecp256bp!
        authby=psk

# Configuration notes:
# left = local, right = remote
# leftid/rightid: ID payload exchanged during IKE (certificate: DN or
subjectAltName)
# ! in ike and esp only allow specified cypher suites (no NSA downgrade)
# TFC: Traffic Flow Confidentiality
# DPD: Dead Peer Detection
conn roadwarrior
        left=192.168.248.17
        leftid=rwclient
        leftsourceip=%config
        leftfirewall=no
        right=200.100.10.1
        rightid=roadwarriorvpn-1
        rightsubnet=10.75.0.0/16
        tfc=1280
        auto=add

Best regards
Lars Alex Pedersen



-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]

Sent: 8. juni 2017 14:53
To: Lars Alex Pedersen <laa at kamstrup.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] roadwarrior IKEv2 PSK reauthentication issue



On 07.06.2017 11:31, Lars Alex Pedersen wrote:
> I got about 100 RW clients that are connecting to a pfsense 2.2.6 and 
> are seeing something odd when the clients are reauthenticating IKE_SA. 
> Can anybody tell why two different virtual IP's are received within 1 
> second? On the pfsense side I see that the same two roadwarriors are 
> "fighting" between the two virtuel ip's, so if one gets 10.75.4.75 the 
> other will get 10.75.4.54.

What's your ipsec.conf and the current pool status (`ipsec stroke leases`)?
If you can, use make_before_break in strongswan.conf.

Kind regards

Noel

---
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3545 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170610/d621340d/attachment.bin>

More information about the Users mailing list