[strongSwan] roadwarrior IKEv2 PSK reauthentication issue
Lars Alex Pedersen
laa at kamstrup.com
Mon Jun 12 10:15:42 CEST 2017
The output looks something like this. So my original statement isn't quite
true since it looks like the rwclient got both an offline and an online
lease and flips between the ip address during a reauth. So basically a
client will "hold" two virtuel ip's (I know that the offline ip's will be
used when the pool is filled).
$ ipsec stroke leases
<leases>
<pool>
<name>10.75.4.0/22</name><size>1022</size><usage>78</usage><online>72</onlin
e>
<lease>
<host>10.75.4.75</host><status>online</status><id> rwclient</id>
</lease>
<lease>
<host>10.75.4.54</host><status>offline</status><id> rwclient</id>
</lease>
Best regards
Lars Alex Pedersen
-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
Sent: 10. juni 2017 13:51
To: Lars Alex Pedersen <laa at kamstrup.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] roadwarrior IKEv2 PSK reauthentication issue
Hello Lars,
You need to run `ipsec stroke leases` on the host that assigns the virtual
IPs.
Kind regards
Noel
On 10.06.2017 08:08, Lars Alex Pedersen wrote:
> Thanks for your response.
>
> We have looked into make-before-break and somehow decided to not use
> it, so I'll look into that again. Ipsec stroke leases gives a "no
> pools found" on a strongswan 5.3.5. We are using following ipsec.conf,
> but without TFC since it isn't supported in pfsense.
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> #charondebug="cfg 4, dmn 4, ike 4, net 4"
> charondebug="cfg 1, dmn 2, ike 1"
>
> conn %default
> ikelifetime=28800s
> lifetime=10800s
> margintime=600s
> keyingtries=1
> keyexchange=ikev2
> type=tunnel
> dpdaction=clear
> dpddelay=900s
> ike=aes256gcm128-sha512-ecp512bp,aes256gcm128-sha512-ecp521!
>
esp=aes256gcm128-ecp512bp,aes256gcm128-ecp521,aes128gcm128-ecp256bp!
> authby=psk
>
> # Configuration notes:
> # left = local, right = remote
> # leftid/rightid: ID payload exchanged during IKE (certificate: DN or
> subjectAltName)
> # ! in ike and esp only allow specified cypher suites (no NSA
> downgrade) # TFC: Traffic Flow Confidentiality # DPD: Dead Peer
> Detection conn roadwarrior
> left=192.168.248.17
> leftid=rwclient
> leftsourceip=%config
> leftfirewall=no
> right=200.100.10.1
> rightid=roadwarriorvpn-1
> rightsubnet=10.75.0.0/16
> tfc=1280
> auto=add
>
> Best regards
> Lars Alex Pedersen
>
>
>
> -----Original Message-----
> From: Noel Kuntze
> [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
>
> Sent: 8. juni 2017 14:53
> To: Lars Alex Pedersen <laa at kamstrup.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] roadwarrior IKEv2 PSK reauthentication issue
>
>
>
> On 07.06.2017 11:31, Lars Alex Pedersen wrote:
>> I got about 100 RW clients that are connecting to a pfsense 2.2.6 and
>> are seeing something odd when the clients are reauthenticating IKE_SA.
>> Can anybody tell why two different virtual IP's are received within 1
>> second? On the pfsense side I see that the same two roadwarriors are
>> "fighting" between the two virtuel ip's, so if one gets 10.75.4.75
>> the other will get 10.75.4.54.
>
> What's your ipsec.conf and the current pool status (`ipsec stroke
leases`)?
> If you can, use make_before_break in strongswan.conf.
>
> Kind regards
>
> Noel
>
> ---
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3545 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170612/ea321beb/attachment-0001.bin>
More information about the Users
mailing list