[strongSwan] roadwarrior IKEv2 PSK reauthentication issue

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Jun 10 13:50:26 CEST 2017 

Hello Lars,

You need to run `ipsec stroke leases` on the host that assigns the virtual IPs.

Kind regards

Noel


On 10.06.2017 08:08, Lars Alex Pedersen wrote:
> Thanks for your response.
> 
> We have looked into make-before-break and somehow decided to not use it, so
> I'll look into that again. Ipsec stroke leases gives a "no pools found" on a
> strongswan 5.3.5. We are using following ipsec.conf, but without TFC since
> it isn't supported in pfsense.
> 
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
>         #charondebug="cfg 4, dmn 4, ike 4, net 4"
>         charondebug="cfg 1, dmn 2, ike 1"
> 
> conn %default
>         ikelifetime=28800s
>         lifetime=10800s
>         margintime=600s
>         keyingtries=1
>         keyexchange=ikev2
>         type=tunnel
>         dpdaction=clear
>         dpddelay=900s
>         ike=aes256gcm128-sha512-ecp512bp,aes256gcm128-sha512-ecp521!
>         esp=aes256gcm128-ecp512bp,aes256gcm128-ecp521,aes128gcm128-ecp256bp!
>         authby=psk
> 
> # Configuration notes:
> # left = local, right = remote
> # leftid/rightid: ID payload exchanged during IKE (certificate: DN or
> subjectAltName)
> # ! in ike and esp only allow specified cypher suites (no NSA downgrade)
> # TFC: Traffic Flow Confidentiality
> # DPD: Dead Peer Detection
> conn roadwarrior
>         left=192.168.248.17
>         leftid=rwclient
>         leftsourceip=%config
>         leftfirewall=no
>         right=200.100.10.1
>         rightid=roadwarriorvpn-1
>         rightsubnet=10.75.0.0/16
>         tfc=1280
>         auto=add
> 
> Best regards
> Lars Alex Pedersen
> 
> 
> 
> -----Original Message-----
> From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
> 
> Sent: 8. juni 2017 14:53
> To: Lars Alex Pedersen <laa at kamstrup.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] roadwarrior IKEv2 PSK reauthentication issue
> 
> 
> 
> On 07.06.2017 11:31, Lars Alex Pedersen wrote:
>> I got about 100 RW clients that are connecting to a pfsense 2.2.6 and 
>> are seeing something odd when the clients are reauthenticating IKE_SA. 
>> Can anybody tell why two different virtual IP's are received within 1 
>> second? On the pfsense side I see that the same two roadwarriors are 
>> "fighting" between the two virtuel ip's, so if one gets 10.75.4.75 the 
>> other will get 10.75.4.54.
> 
> What's your ipsec.conf and the current pool status (`ipsec stroke leases`)?
> If you can, use make_before_break in strongswan.conf.
> 
> Kind regards
> 
> Noel
> 
> ---
> Noel Kuntze
> IT security consultant
> 
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170610/8fcbb608/attachment.sig>

More information about the Users mailing list