[strongSwan] Issue with IKE_SA rekey towards Cisco
Henrik Juul Pedersen
hjp at liab.dk
Wed Jan 10 16:44:16 CET 2018
Hi StrongSwan community,
I'm implementing a VPN based on StrongSwan for the client side (an
embedded linux board) for a customer. Currently we are testing against
a Cisco ASA5506.
Our requirements:
- Clients must be able to uniquely identify themselves
- Clients has unique passwords generated from secrets known in both ends.
- Clients must get IP and DNS information from the concentrator
- Clients must function behind NAT
We have implemented it with IKEv1 and XAUTH, we use a secret shared
between all clients for the first stage IKE_SA, and we use a generated
password and a unique username for XAUTH.
The clients connect and are able to rekey CHILD_SA on expiry every
hour, but when reauthenticating IKE_SA after 4 hours, some
miscommunication result in loss of connection.
I can't disclose the customer, or their application, but I've supplied
sanitized configuration- and log-files, which should show the setup
and the runtime results. If I've removed some important context please
let me know, and I'll try and present the needed information.
We have enabled 'cisco_unity' in charon.conf, and for testing we have
enabled 'i_dont_care_about_security_and_use_aggressive_mode_psk', so
this shouldn't be the thing stopping us.
We have tested the setup with a Shrew Soft client on a Windows
machine, which seems to be able to keep the connection alive
indefinitely (possibly with minor interruptions - we haven't been able
to test with a long-running connection on Windows).
These logs are made from a Linux PC with newest available StrongSwan client:
- IKE charon daemon (strongSwan 5.6.1, Linux 4.14.10-1-ARCH, x86_64)
We are not using swanctl as that isn't the default for our embedded
target. We control StrongSwan using the ipsec script.
I've tried to follow
"https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests",
and have supplied full (sanitized) log files as MIME attachments.
Please let me know if you prefer them externally hosted, or supplied
inline in future communication.
I hope some of you have an idea of what the issue might be. I'm sure
we've just made some misconfiguration.
Thank you in advance,
Best regards
Henrik Juul Pedersen
LIAB ApS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cisco-config-clean.out
Type: application/octet-stream
Size: 13431 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/1c62da8b/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rekey-issue-clean.log
Type: text/x-log
Size: 51192 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/1c62da8b/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rekey-issue-ipsec-clean.conf
Type: application/octet-stream
Size: 525 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/1c62da8b/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rekey-issue-ipsec-clean.secrets
Type: application/octet-stream
Size: 115 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/1c62da8b/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.conf
Type: application/octet-stream
Size: 10790 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/1c62da8b/attachment-0007.obj>
More information about the Users
mailing list