[strongSwan] Dual IPSEC SA after re-auth

Loic Chabert loic.chabert at voxity.fr
Thu Jan 4 17:53:12 CET 2018 

Hello Strongswan list,

I have a trouble with an IPSEC site-to-site VPN from a Cisco ASA and
strongswan version 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64.

With Strongwan, i want to send two subnet: 172.16.5.0/24 and 192.168.1.0/24.
When i start strongswan, no error, all ping pass throught ipsec tunnel and
no problem.
After 7h (probably after a re-auth), two tunnels are inserted for the same
subnet. The other subnet continue to work as expected. Only one "crash".
One ping over two has been drop.

Please find below output command of "statusall":













*#strongswan statusallStatus of IKE charon daemon (strongSwan 5.5.3, Linux
3.10.0-327.10.1.el7.x86_64, x86_64):  uptime: 26 hours, since Jan 03
14:53:30 2018  malloc: sbrk 1622016, mmap 0, used 529568, free 1092448
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 8  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr
ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici
updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unityListening IP
addresses:  185.119.XXX.XXX  172.16.0.0  2a06:8bc0:XXX
10.8.0.1Connections:    conn-1:  *
*185.119.XXX.YYY...46.31.ZZ.ZZ  IKEv1    **conn-1:   local:  [*
*185.119.XXX.YYY.] uses pre-shared key authentication    **conn-1:
remote: [*
*46.31.ZZ.ZZ] uses pre-shared key authentication    *
*conn-1:   child:  192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29
<http://10.2.1.192/29> TUNNEL    *

*conn-2:   child:  172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29
<http://10.2.1.192/29> TUNNELSecurity Associations (1 up, 0 connecting):
**conn-1[7]: ESTABLISHED 2 hours ago, **185.119.XXX.YYY.[*
*185.119.XXX.YYY.]...**46.31.ZZ.ZZ[*
*46.31.ZZ.ZZ]    *
*conn-1[7]: IKEv1 SPIs: f8490bafd768b806_i* 86c5c1b6cb09c905_r, pre-shared
key reauthentication in 5 hours    *
*conn-1[7]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536    *
*conn-2{817}:  INSTALLED, TUNNEL, reqid 71, ESP SPIs: c70f39e7_i
474d86cc_o    *
*conn-2{817}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 65021 bytes_i (1413
pkts, 27s ago), 1535741 bytes_o (3046 pkts, 27s ago), rekeying in 6
hours    *
*conn-2{817}:   172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29
<http://10.2.1.192/29>    *
*conn-1{867}:  INSTALLED, TUNNEL, reqid 69, ESP SPIs: cf6a0fee_i
4d77c585_o    *
*conn-1{867}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o,
rekeying in 6 hours    *
*conn-1{867}:   192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29
<http://10.2.1.192/29>    *
*conn-1{869}:  INSTALLED, TUNNEL, reqid 69, ESP SPIs: c3e3a651_i
7d5fc4f2_o    *
*conn-1{869}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 4441746 bytes_i (3181
pkts, 419s ago), 54984 bytes_o (1373 pkts, 419s ago), rekeying in 6
hours    *

*conn-1{869}:   192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29
<http://10.2.1.192/29>*

Here my configuration:


















































*# ipsec.conf - strongSwan IPsec configuration file# basic
configurationconfig setup        # strictcrlpolicy=yes
charondebug="cfg 2, chd 1, dmn 1, ike 1, knl 1, net 1"        # uniqueids =
no# Add connections here.# Sample VPN connectionsconn conn--1
auto=start    rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
authby=secret    compress=no    closeaction=restart    mobike=no
keyexchange=ikev1    keyingtries=1    rekeymargin=3m
ike=aes256-sha-modp1536    esp=aes256-sha-modp1024    ikelifetime=28800s
lifetime=28800s    left=46.31.ZZ.ZZ    right=185.119.XXX.YYY
leftsubnet=10.2.1.192/29 <http://10.2.1.192/29>    leftid=46.31.ZZ.ZZ
rightid=185.119.XXX.YYYconn conn-2    auto=start
rightsubnet=172.16.5.0/24 <http://172.16.5.0/24>    authby=secret
compress=no    closeaction=restart    mobike=no    rekeymargin=3m
keyexchange=ikev1    ike=aes256-sha-modp1536    esp=aes256-sha-modp1024
ikelifetime=28800s    keyingtries=1    lifetime=28800s
left=46.31.ZZ.ZZ    right=185.119.XXX.YYY    leftsubnet=10.2.1.192/29
<http://10.2.1.192/29>    leftid=46.31.ZZ.ZZ*


If i set rightsubnet, separared by a comma, only one subnet over two is UP.
I have disable cisco_unity plugin (same behaviour if this plugin is
enabled).

Do you have any hint to mount an IPSEC site-to-site, with two subnet,
working even after a rekey or reauth ?
Any logging lines can help me ?

Thanks in advance,
Regards.
-- 

*Loïc CHABERT - Responsable technique*

*Voxity - Libérez vos Télécoms*

85 Rue des Alliés 38100 Grenoble
Tel : 0975181257 - Fax : 04.816.801.14
Email : loic.chabert at voxity.fr <jp.ramoul at voxity.fr>
Restons connectés : Site Web <http://www.voxity.fr> - Twitter
<http://twitter.com/voxity> - Facebook <http://www.facebook.com/voxity> - L
inkedIn <https://www.linkedin.com/profile/view?id=25351096>
*Nouveau !* Découvrez Voxity en vidéo : Youtube
<https://www.youtube.com/watch?v=nUVL5fTNmVU>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180104/d93f0668/attachment.html>

More information about the Users mailing list