[strongSwan] Dual IPSEC SA after re-auth
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:27:58 CET 2018
Hi,
Use the site-to-site config for IKEv1 and two subnets from the UsableExamples page on the wiki.
Kind regards
Noel
On 04.01.2018 17:53, Loic Chabert wrote:
> Hello Strongswan list,
>
> I have a trouble with an IPSEC site-to-site VPN from a Cisco ASA and strongswan version 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64.
>
> With Strongwan, i want to send two subnet: 172.16.5.0/24 <http://172.16.5.0/24> and 192.168.1.0/24 <http://192.168.1.0/24>.
> When i start strongswan, no error, all ping pass throught ipsec tunnel and no problem.
> After 7h (probably after a re-auth), two tunnels are inserted for the same subnet. The other subnet continue to work as expected. Only one "crash". One ping over two has been drop.
>
> Please find below output command of "statusall":
>
> /#strongswan statusall
> Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64, x86_64):
> uptime: 26 hours, since Jan 03 14:53:30 2018
> malloc: sbrk 1622016, mmap 0, used 529568, free 1092448
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
> loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
> Listening IP addresses:
> 185.119.XXX.XXX
> 172.16.0.0
> 2a06:8bc0:XXX
> 10.8.0.1
> Connections:
> conn-1: ///185.119.XXX.YYY/...46.31.ZZ.ZZ IKEv1
> ///conn/-1: local: [////185.119.XXX.YYY/./] uses pre-shared key authentication
> ///conn/-1: remote: [///46.31.ZZ.ZZ/] uses pre-shared key authentication
> ///conn/-1: child: 192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> TUNNEL
> ///conn/-2: child: 172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> TUNNEL
> Security Associations (1 up, 0 connecting):
> ///conn/-1[7]: ESTABLISHED 2 hours ago, ////185.119.XXX.YYY/./[////185.119.XXX.YYY/./]...///46.31.ZZ.ZZ/[///46.31.ZZ.ZZ/]
> ///conn/-1[7]: IKEv1 SPIs: f8490bafd768b806_i* 86c5c1b6cb09c905_r, pre-shared key reauthentication in 5 hours
> ///conn/-1[7]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> ///conn/-2{817}: INSTALLED, TUNNEL, reqid 71, ESP SPIs: c70f39e7_i 474d86cc_o
> ///conn/-2{817}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 65021 bytes_i (1413 pkts, 27s ago), 1535741 bytes_o (3046 pkts, 27s ago), rekeying in 6 hours
> ///conn/-2{817}: 172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29 <http://10.2.1.192/29>
> * *//*/conn/-1{867}: INSTALLED, TUNNEL, reqid 69, ESP SPIs: cf6a0fee_i 4d77c585_o
> *//*/conn/-1{867}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 6 hours
> *//*/conn/-1{867}: 192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29>
> *//*/conn/-1{869}: INSTALLED, TUNNEL, reqid 69, ESP SPIs: c3e3a651_i 7d5fc4f2_o
> *//*/conn/-1{869}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 4441746 bytes_i (3181 pkts, 419s ago), 54984 bytes_o (1373 pkts, 419s ago), rekeying in 6 hours
> *//*/conn/-1{869}: 192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29>*
>
> /
> /
> /
> Here my configuration:
>
> /# ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # strictcrlpolicy=yes
> charondebug="cfg 2, chd 1, dmn 1, ike 1, knl 1, net 1"
> # uniqueids = no
>
> # Add connections here.
>
> # Sample VPN connections
> conn conn--1
> auto=start
> rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> authby=secret
> compress=no
> closeaction=restart
> mobike=no
> keyexchange=ikev1
> keyingtries=1
> rekeymargin=3m
> ike=aes256-sha-modp1536
> esp=aes256-sha-modp1024
> ikelifetime=28800s
> lifetime=28800s
> left=46.31.ZZ.ZZ
> right=185.119.XXX.YYY
> leftsubnet=10.2.1.192/29 <http://10.2.1.192/29>
> leftid=46.31.ZZ.ZZ
> rightid=185.119.XXX.YYY
>
> conn conn-2
> auto=start
> rightsubnet=172.16.5.0/24 <http://172.16.5.0/24>
> authby=secret
> compress=no
> closeaction=restart
> mobike=no
> rekeymargin=3m
> keyexchange=ikev1
> ike=aes256-sha-modp1536
> esp=aes256-sha-modp1024
> ikelifetime=28800s
> keyingtries=1
> lifetime=28800s
> left=46.31.ZZ.ZZ
> right=185.119.XXX.YYY
> leftsubnet=10.2.1.192/29 <http://10.2.1.192/29>
> leftid=46.31.ZZ.ZZ/
> /
> /
> /
> /
> If i set rightsubnet, separared by a comma, only one subnet over two is UP.
> I have disable cisco_unity plugin (same behaviour if this plugin is enabled).
>
> Do you have any hint to mount an IPSEC site-to-site, with two subnet, working even after a rekey or reauth ?
> Any logging lines can help me ?
>
> Thanks in advance,
> Regards.
> --
>
> *Loïc CHABERT - Responsable technique**
> **Voxity - Libérez vos Télécoms
> *
>
> 85 Rue des Alliés 38100 Grenoble
> Tel : 0975181257 - Fax : 04.816.801.14
> Email : loic.chabert at voxity.fr <mailto:jp.ramoul at voxity.fr>
>
> Restons connectés : Site Web <http://www.voxity.fr> - Twitter <http://twitter.com/voxity> - Facebook <http://www.facebook.com/voxity> - LinkedIn <https://www.linkedin.com/profile/view?id=25351096>
> *Nouveau !* Découvrez Voxity en vidéo : Youtube <https://www.youtube.com/watch?v=nUVL5fTNmVU>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/5a538591/attachment.sig>
More information about the Users
mailing list