[strongSwan] Dual IPSEC SA after re-auth

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:27:58 CET 2018 

Hi,

Use the site-to-site config for IKEv1 and two subnets from the UsableExamples page on the wiki.

Kind regards

Noel

On 04.01.2018 17:53, Loic Chabert wrote:
> Hello Strongswan list,
>
> I have a trouble with an IPSEC site-to-site VPN from a Cisco ASA and strongswan version 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64.
>
> With Strongwan, i want to send two subnet: 172.16.5.0/24 <http://172.16.5.0/24> and 192.168.1.0/24 <http://192.168.1.0/24>.
> When i start strongswan, no error, all ping pass throught ipsec tunnel and no problem.
> After 7h (probably after a re-auth), two tunnels are inserted for the same subnet. The other subnet continue to work as expected. Only one "crash". One ping over two has been drop.
>
> Please find below output command of "statusall":
>
> /#strongswan statusall
> Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64, x86_64):
>   uptime: 26 hours, since Jan 03 14:53:30 2018
>   malloc: sbrk 1622016, mmap 0, used 529568, free 1092448
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
>   loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
> Listening IP addresses:
>   185.119.XXX.XXX
>   172.16.0.0
>   2a06:8bc0:XXX
>   10.8.0.1
> Connections:
>     conn-1:  ///185.119.XXX.YYY/...46.31.ZZ.ZZ  IKEv1
>     ///conn/-1:   local:  [////185.119.XXX.YYY/./] uses pre-shared key authentication
>     ///conn/-1:   remote: [///46.31.ZZ.ZZ/] uses pre-shared key authentication
>     ///conn/-1:   child:  192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> TUNNEL
>     ///conn/-2:   child:  172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> TUNNEL
> Security Associations (1 up, 0 connecting):
>     ///conn/-1[7]: ESTABLISHED 2 hours ago, ////185.119.XXX.YYY/./[////185.119.XXX.YYY/./]...///46.31.ZZ.ZZ/[///46.31.ZZ.ZZ/]
>     ///conn/-1[7]: IKEv1 SPIs: f8490bafd768b806_i* 86c5c1b6cb09c905_r, pre-shared key reauthentication in 5 hours
>     ///conn/-1[7]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>     ///conn/-2{817}:  INSTALLED, TUNNEL, reqid 71, ESP SPIs: c70f39e7_i 474d86cc_o
>     ///conn/-2{817}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 65021 bytes_i (1413 pkts, 27s ago), 1535741 bytes_o (3046 pkts, 27s ago), rekeying in 6 hours
>     ///conn/-2{817}:   172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29 <http://10.2.1.192/29>
> *    *//*/conn/-1{867}:  INSTALLED, TUNNEL, reqid 69, ESP SPIs: cf6a0fee_i 4d77c585_o
>     *//*/conn/-1{867}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 6 hours
>     *//*/conn/-1{867}:   192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29>
>     *//*/conn/-1{869}:  INSTALLED, TUNNEL, reqid 69, ESP SPIs: c3e3a651_i 7d5fc4f2_o
>     *//*/conn/-1{869}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 4441746 bytes_i (3181 pkts, 419s ago), 54984 bytes_o (1373 pkts, 419s ago), rekeying in 6 hours
>     *//*/conn/-1{869}:   192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29>*
>
> /
> /
> /
> Here my configuration:
>
> /# ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>         # strictcrlpolicy=yes
>         charondebug="cfg 2, chd 1, dmn 1, ike 1, knl 1, net 1"
>         # uniqueids = no
>
> # Add connections here.
>
> # Sample VPN connections
> conn conn--1
>     auto=start
>     rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
>     authby=secret
>     compress=no
>     closeaction=restart
>     mobike=no
>     keyexchange=ikev1
>     keyingtries=1
>     rekeymargin=3m
>     ike=aes256-sha-modp1536
>     esp=aes256-sha-modp1024
>     ikelifetime=28800s
>     lifetime=28800s
>     left=46.31.ZZ.ZZ
>     right=185.119.XXX.YYY
>     leftsubnet=10.2.1.192/29 <http://10.2.1.192/29>
>     leftid=46.31.ZZ.ZZ
>     rightid=185.119.XXX.YYY
>
> conn conn-2
>     auto=start
>     rightsubnet=172.16.5.0/24 <http://172.16.5.0/24>
>     authby=secret
>     compress=no
>     closeaction=restart
>     mobike=no
>     rekeymargin=3m
>     keyexchange=ikev1
>     ike=aes256-sha-modp1536
>     esp=aes256-sha-modp1024
>     ikelifetime=28800s
>     keyingtries=1
>     lifetime=28800s
>     left=46.31.ZZ.ZZ
>     right=185.119.XXX.YYY
>     leftsubnet=10.2.1.192/29 <http://10.2.1.192/29>
>     leftid=46.31.ZZ.ZZ/
> /
> /
> /
> /
> If i set rightsubnet, separared by a comma, only one subnet over two is UP.
> I have disable cisco_unity plugin (same behaviour if this plugin is enabled).
>
> Do you have any hint to mount an IPSEC site-to-site, with two subnet, working even after a rekey or reauth ?
> Any logging lines can help me ?
>
> Thanks in advance,
> Regards.
> -- 
>
> *Loïc CHABERT - Responsable technique**
> **Voxity - Libérez vos Télécoms
> *
>
> 85 Rue des Alliés 38100 Grenoble
> Tel : 0975181257 - Fax : 04.816.801.14
> Email : loic.chabert at voxity.fr <mailto:jp.ramoul at voxity.fr>
>
> Restons connectés : Site Web <http://www.voxity.fr> - Twitter <http://twitter.com/voxity> - Facebook <http://www.facebook.com/voxity> - LinkedIn <https://www.linkedin.com/profile/view?id=25351096>
> *Nouveau !* Découvrez Voxity en vidéo : Youtube <https://www.youtube.com/watch?v=nUVL5fTNmVU>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/5a538591/attachment.sig>

More information about the Users mailing list