[strongSwan] IKEv1 reauth problem is met when working with Aruba controller

[曹昊阳]

Hi,

I tried to make strongSwan work in road warrior mode with VPN server
integrated in Aruba controller, the tunnel is established successfully and
the communication is OK, but I found the tunnel is shut down after IKE
re-authentication.
After some study, I found between after msg MM6 strongSwan are waiting for
the TRANSACTION for XAUTH request and Aruba never send it, after timeout
strongSwan will re-launch a IKE MM but Aruba will also not answer it.

>From the strongSwan's log, it shows
*Nov  9 15:29:39 localhost charon: 07[IKE] reauthenticating IKE_SA str1[1]*
*Nov  9 15:29:39 localhost charon: 07[IKE] installing new virtual IP
99.99.99.91*
*Nov  9 15:29:39 localhost charon: 07[IKE] initiating Main Mode IKE_SA
str1[3] to 10.4.30.200*
*Nov  9 15:29:39 localhost charon: 07[ENC] generating ID_PROT request 0 [
SA V V V V V ]*
*Nov  9 15:29:39 localhost charon: 07[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (240 bytes)*
*Nov  9 15:29:39 localhost charon: 05[NET] received packet: from
10.4.30.200[500] to 30.1.1.22[500] (200 bytes)*
*Nov  9 15:29:39 localhost charon: 05[ENC] parsed ID_PROT response 0 [ SA V
V V V V V ]*
*Nov  9 15:29:39 localhost charon: 05[IKE] received FRAGMENTATION vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received
draft-ietf-ipsec-nat-t-ike-00 vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received DPD vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received XAuth vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received Cisco Unity vendor ID*
*Nov  9 15:29:39 localhost charon: 05[ENC] generating ID_PROT request 0 [
KE No NAT-D NAT-D ]*
*Nov  9 15:29:39 localhost charon: 05[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (372 bytes)*
*Nov  9 15:29:39 localhost charon: 09[NET] received packet: from
10.4.30.200[500] to 30.1.1.22[500] (372 bytes)*
*Nov  9 15:29:39 localhost charon: 09[ENC] parsed ID_PROT response 0 [ KE
No NAT-D NAT-D ]*
*Nov  9 15:29:39 localhost charon: 09[ENC] generating ID_PROT request 0 [
ID HASH ]*
*Nov  9 15:29:39 localhost charon: 09[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (76 bytes)*
*Nov  9 15:29:39 localhost charon: 10[NET] received packet: from
10.4.30.200[500] to 30.1.1.22[500] (76 bytes)*
*Nov  9 15:29:39 localhost charon: 10[ENC] parsed ID_PROT response 0 [ ID
HASH ]*
*Nov  9 15:30:09 localhost charon: 13[JOB] peer did not initiate expected
exchange, reestablishing IKE_SA*
*Nov  9 15:30:09 localhost charon: 13[IKE] reinitiating IKE_SA str1[3]*
*Nov  9 15:30:09 localhost charon: 13[IKE] initiating Main Mode IKE_SA
str1[3] to 10.4.30.200*
*Nov  9 15:30:09 localhost charon: 13[ENC] generating ID_PROT request 0 [
SA V V V V V ]*
*Nov  9 15:30:09 localhost charon: 13[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (240 bytes)*

I checked this with Aruba support and their answer is that the reauth for
XAUTH is not necessary and they only accept the reauthentication when msg
MM5 includes INITIAL-CONTACT which I think is not a correct solution
because it will result a new virtual IP address assigned to my VPN client.

I searched google and seems there are some VPN client like the one in
IOS/MACOS works well with Aruba solution and they will not mandatorily ask
XAUTH authentication when doing IKE reauthentication, and I fully
understand strongSwan insists redoing the authentication is because of the
security consideration.
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients

My request is that whether it is possible for strongSwan to provide a
configurable option to allow skip XAUTH authentication during IKE
reauthentication?

Thanks in advance.

-- 
Best Regards,

Haoyang CAO
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171116/d6cdcaab/attachment.html>