[strongSwan] roadwarrior IKEv2 PSK reauthentication issue

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jun 12 21:44:44 CEST 2017 

Hi Lars,

> $ ipsec stroke leases
> <leases>
> <pool>
> <name>10.75.4.0/22</name><size>1022</size><usage>78</usage><online>72</onlin
> e>
> <lease>
> <host>10.75.4.75</host><status>online</status><id> rwclient</id>
> </lease>
> <lease>
> <host>10.75.4.54</host><status>offline</status><id> rwclient</id>
> </lease>

If there are two clients with the same ID, change the ID of one of them.
If there's actually just one and you use an sql backed pool, you can delete the record of one of them using `ipsec pools`.

Kind regards

Noel


On 12.06.2017 10:15, Lars Alex Pedersen wrote:
> The output looks something like this. So my original statement isn't quite
> true since it looks like the rwclient got both an offline and an online
> lease and flips between the ip address during a reauth. So basically a
> client will "hold" two virtuel ip's (I know that the offline ip's will be
> used when the pool is filled).
> 
> $ ipsec stroke leases
> <leases>
> <pool>
> <name>10.75.4.0/22</name><size>1022</size><usage>78</usage><online>72</onlin
> e>
> <lease>
> <host>10.75.4.75</host><status>online</status><id> rwclient</id>
> </lease>
> <lease>
> <host>10.75.4.54</host><status>offline</status><id> rwclient</id>
> </lease>
> 
> Best regards
> Lars Alex Pedersen
> 
> 
> -----Original Message-----
> From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
> 
> Sent: 10. juni 2017 13:51
> To: Lars Alex Pedersen <laa at kamstrup.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] roadwarrior IKEv2 PSK reauthentication issue
> 
> Hello Lars,
> 
> You need to run `ipsec stroke leases` on the host that assigns the virtual
> IPs.
> 
> Kind regards
> 
> Noel
> 
> 
> On 10.06.2017 08:08, Lars Alex Pedersen wrote:
>> Thanks for your response.
>>
>> We have looked into make-before-break and somehow decided to not use 
>> it, so I'll look into that again. Ipsec stroke leases gives a "no 
>> pools found" on a strongswan 5.3.5. We are using following ipsec.conf, 
>> but without TFC since it isn't supported in pfsense.
>>
>> # /etc/ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>>         #charondebug="cfg 4, dmn 4, ike 4, net 4"
>>         charondebug="cfg 1, dmn 2, ike 1"
>>
>> conn %default
>>         ikelifetime=28800s
>>         lifetime=10800s
>>         margintime=600s
>>         keyingtries=1
>>         keyexchange=ikev2
>>         type=tunnel
>>         dpdaction=clear
>>         dpddelay=900s
>>         ike=aes256gcm128-sha512-ecp512bp,aes256gcm128-sha512-ecp521!
>>
> esp=aes256gcm128-ecp512bp,aes256gcm128-ecp521,aes128gcm128-ecp256bp!
>>         authby=psk
>>
>> # Configuration notes:
>> # left = local, right = remote
>> # leftid/rightid: ID payload exchanged during IKE (certificate: DN or
>> subjectAltName)
>> # ! in ike and esp only allow specified cypher suites (no NSA 
>> downgrade) # TFC: Traffic Flow Confidentiality # DPD: Dead Peer 
>> Detection conn roadwarrior
>>         left=192.168.248.17
>>         leftid=rwclient
>>         leftsourceip=%config
>>         leftfirewall=no
>>         right=200.100.10.1
>>         rightid=roadwarriorvpn-1
>>         rightsubnet=10.75.0.0/16
>>         tfc=1280
>>         auto=add
>>
>> Best regards
>> Lars Alex Pedersen
>>
>>
>>
>> -----Original Message-----
>> From: Noel Kuntze 
>> [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
>>
>> Sent: 8. juni 2017 14:53
>> To: Lars Alex Pedersen <laa at kamstrup.com>; users at lists.strongswan.org
>> Subject: Re: [strongSwan] roadwarrior IKEv2 PSK reauthentication issue
>>
>>
>>
>> On 07.06.2017 11:31, Lars Alex Pedersen wrote:
>>> I got about 100 RW clients that are connecting to a pfsense 2.2.6 and 
>>> are seeing something odd when the clients are reauthenticating IKE_SA.
>>> Can anybody tell why two different virtual IP's are received within 1 
>>> second? On the pfsense side I see that the same two roadwarriors are 
>>> "fighting" between the two virtuel ip's, so if one gets 10.75.4.75 
>>> the other will get 10.75.4.54.
>> What's your ipsec.conf and the current pool status (`ipsec stroke
> leases`)?
>> If you can, use make_before_break in strongswan.conf.
>>
>> Kind regards
>>
>> Noel
>>
>> ---
>> Noel Kuntze
>> IT security consultant
>>
>> GPG Key ID: 0x0739AD6C
>> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170612/4fc7d567/attachment.sig>

More information about the Users mailing list