[strongSwan] Fwd: duplicate IPSec SAs

Jeff q6ene8rmuk at gmail.com
Mon Jan 15 16:38:07 CET 2018


Andreas,

Per Noel Kuntze's suggestion, I added

charon.make_before_break=yes

to both the initiator and responder. However I still accumulated 
duplicate IPSsec child SAs.

Can you offer insight how I may fix this issue?

thanks,
Jeff Weber


-------- Forwarded Message --------
Subject: duplicate IPSec SAs
Date: Tue, 2 Jan 2018 09:36:00 -0600
From: Jeff <Q6ENe8rmUK at gmail.com>
To: strongswan users <users at lists.strongswan.org>

My ikev2 VPNs are accumulating duplicate IPSec SAs.

Here are some of my high level requirements:
* "star" architecture: single central responder, multiple initiators.
* Initiators may have dynamic or NAT'ed IPs.
* Exactly one VPN between responder and each initiator.
* Each VPN is "always up" to allow access from responder to any
initiator at any time.
* Periodic IKEv2 reauthentication is required to enforce X.509 CRLs.
* Small outages during rekey, reauth are permissible.

My config:
responder: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM. Config 
attached.
initiators: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM.
Config attached.

The issue: As time passes, I see multiple IPsec SAs accumulate between
responder and some initiators.

Question: How to configure for exactly one VPN between responder and
each initiator?

I suspect that adding a combination of
connections.<conn>.unique
      and
charon.make_before_break

settings will fix my issue. Currently I am using the default values for 
each.

Advice on a config change to fix duplicate IPSec SAs is requested.


thanks,
Jeff

-------------- next part --------------
# common strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
}

include strongswan.d/*.conf
-------------- next part --------------
# initiator swanctl.conf
connections {
    responder {
        local {
            certs = initiatorCert.pem
            id = initiator
        }
        remote {
            certs = responderCert.pem
            id = responder
        }
        remote_addrs = x.x.x.x
        children {
            noc {
                local_ts = 10.16.0.5
                # Specify remote VPN networks
                remote_ts = 192.168.37.0/24
                # VPN is brought up upon demand.
                start_action = trap
                dpd_action = restart
            }
        }
        # Initiates a new sequence until the connection establishes
        keyingtries = 0
        reauth_time = 4h
        rekey_time = 1h
        dpd_delay = 1m
    }
}
-------------- next part --------------
# responder swanctl.conf

connections {

    # IKE (Phase 1) security association (SA).
    # Remote sites connect from anonymous IP, and present certificate signed
    # by xxx CA.
    # This generic SA may be instantiated for multiple remote peers.
    anon-certificate {
        # Local VPN transport IP
        local_addrs = x.x.x.x

        local {
            auth = pubkey
            certs = responderCert.pem
            id = responder
        }

        remote {
            auth = pubkey
        }

        children {
            # IPsec (Phase 2) security association (SA).
            site-to-site {
                # Specify the subnets to communicate across the VPNs.
                # This implements site to site VPNs.
                local_ts = 192.168.37.0/24
                #remote_ts = 10.16.0.137/32
                remote_ts = 10.0.0.0/8
                # This peer is a VPN responder and will not initiate tunnels.
                #start_action = none
                #updown = /root/updown
                dpd_action = clear
            }
        }
        # CRL enforcement requires explicit non zero authentication period.
        reauth_time = 14400
        rekey_time = 3600
        dpd_delay = 60s
    }
}

-------------- next part --------------
# Options for the charon IKE daemon.
charon {

    # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
    # accept_unencrypted_mainmode_messages = no

    # Maximum number of half-open IKE_SAs for a single peer IP.
    # block_threshold = 5

    # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
    # be saved under a unique file name derived from the public key of the
    # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
    # /etc/swanctl/x509crl (vici), respectively.
    # cache_crls = no

    # Whether relations in validated certificate chains should be cached in
    # memory.
    # cert_cache = yes

    # Send Cisco Unity vendor ID payload (IKEv1 only).
    # cisco_unity = no

    # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
    # close_ike_on_child_failure = no

    # Number of half-open IKE_SAs that activate the cookie mechanism.
    # cookie_threshold = 10

    # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
    # delete_rekeyed = no

    # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
    # (IKEv2 only).
    # delete_rekeyed_delay = 5

    # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
    # strength.
    # dh_exponent_ansi_x9_42 = yes

    # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
    # missing symbols immediately.
    # dlopen_use_rtld_now = no

    # DNS server assigned to peer via configuration payload (CP).
    #dns1 = 192.168.37.2

    # DNS server assigned to peer via configuration payload (CP).
    # dns2 =

    # Enable Denial of Service protection using cookies and aggressiveness
    # checks.
    # dos_protection = yes

    # Compliance with the errata for RFC 4753.
    # ecp_x_coordinate_only = yes

    # Free objects during authentication (might conflict with plugins).
    # flush_auth_cfg = no

    # Whether to follow IKEv2 redirects (RFC 5685).
    # follow_redirects = yes

    # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
    # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
    # to 1280 (use 0 for address family specific default values, which uses a
    # lower value for IPv4).  If specified this limit is used for both IPv4 and
    # IPv6.
    # fragment_size = 1280

    # Name of the group the daemon changes to after startup.
    # group =

    # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
    # half_open_timeout = 30

    # Enable hash and URL support.
    # hash_and_url = no

    # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
    # i_dont_care_about_security_and_use_aggressive_mode_psk = no

    # Whether to ignore the traffic selectors from the kernel's acquire events
    # for IKEv2 connections (they are not used for IKEv1).
    # ignore_acquire_ts = no

    # A space-separated list of routing tables to be excluded from route
    # lookups.
    # ignore_routing_tables =

    # Maximum number of IKE_SAs that can be established at the same time before
    # new connection attempts are blocked.
    # ikesa_limit = 0

    # Number of exclusively locked segments in the hash table.
    # ikesa_table_segments = 1

    # Size of the IKE_SA hash table.
    # ikesa_table_size = 1

    # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
    # inactivity_close_ike = no

    # Limit new connections based on the current number of half open IKE_SAs,
    # see IKE_SA_INIT DROPPING in strongswan.conf(5).
    # init_limit_half_open = 0

    # Limit new connections based on the number of queued jobs.
    # init_limit_job_load = 0

    # Causes charon daemon to ignore IKE initiation requests.
    # initiator_only = no

    # Install routes into a separate routing table for established IPsec
    # tunnels.
    # install_routes = yes

    # Install virtual IP addresses.
    # install_virtual_ip = yes

    # The name of the interface on which virtual IP addresses should be
    # installed.
    # install_virtual_ip_on =

    # Check daemon, libstrongswan and plugin integrity at startup.
    # integrity_test = no

    # A comma-separated list of network interfaces that should be ignored, if
    # interfaces_use is specified this option has no effect.
    # interfaces_ignore =

    # A comma-separated list of network interfaces that should be used by
    # charon. All other interfaces are ignored.
    # interfaces_use =

    # NAT keep alive interval.
    # keep_alive = 20s

    # Plugins to load in the IKE daemon charon.
    # load =

    # Determine plugins to load via each plugin's load option.
    # load_modular = no

    # Initiate IKEv2 reauthentication with a make-before-break scheme.
    make_before_break = yes

    # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
    # and track concurrently.
    # max_ikev1_exchanges = 3

    # Maximum packet size accepted by charon.
    # max_packet = 10000

    # Enable multiple authentication exchanges (RFC 4739).
    # multiple_authentication = yes

    # WINS servers assigned to peer via configuration payload (CP).
    # nbns1 =

    # WINS servers assigned to peer via configuration payload (CP).
    # nbns2 =

    # UDP port used locally. If set to 0 a random port will be allocated.
    # port = 500

    # UDP port used locally in case of NAT-T. If set to 0 a random port will be
    # allocated.  Has to be different from charon.port, otherwise a random port
    # will be allocated.
    # port_nat_t = 4500

    # Wether to prefer updating SAs to the path with the best route.
    # prefer_best_path = no

    # Prefer locally configured proposals for IKE/IPsec over supplied ones as
    # responder (disabling this can avoid keying retries due to
    # INVALID_KE_PAYLOAD notifies).
    # prefer_configured_proposals = yes

    # By default public IPv6 addresses are preferred over temporary ones (RFC
    # 4941), to make connections more stable. Enable this option to reverse
    # this.
    # prefer_temporary_addrs = no

    # Process RTM_NEWROUTE and RTM_DELROUTE events.
    # process_route = yes

    # Delay in ms for receiving packets, to simulate larger RTT.
    # receive_delay = 0

    # Delay request messages.
    # receive_delay_request = yes

    # Delay response messages.
    # receive_delay_response = yes

    # Specific IKEv2 message type to delay, 0 for any.
    # receive_delay_type = 0

    # Size of the AH/ESP replay window, in packets.
    # replay_window = 32

    # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
    # in strongswan.conf(5).
    # retransmit_base = 1.8

    # Maximum jitter in percent to apply randomly to calculated retransmission
    # timeout (0 to disable).
    # retransmit_jitter = 0

    # Upper limit in seconds for calculated retransmission timeout (0 to
    # disable).
    # retransmit_limit = 0

    # Timeout in seconds before sending first retransmit.
    # retransmit_timeout = 4.0

    # Number of times to retransmit a packet before giving up.
    # retransmit_tries = 5

    # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
    # DNS resolution failed), 0 to disable retries.
    # retry_initiate_interval = 0

    # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
    # reuse_ikesa = yes

    # Numerical routing table to install routes to.
    # routing_table =

    # Priority of the routing table.
    # routing_table_prio =

    # Delay in ms for sending packets, to simulate larger RTT.
    # send_delay = 0

    # Delay request messages.
    # send_delay_request = yes

    # Delay response messages.
    # send_delay_response = yes

    # Specific IKEv2 message type to delay, 0 for any.
    # send_delay_type = 0

    # Send strongSwan vendor ID payload
    # send_vendor_id = no

    # Whether to enable Signature Authentication as per RFC 7427.
    # signature_authentication = yes

    # Whether to enable constraints against IKEv2 signature schemes.
    # signature_authentication_constraints = yes

    # The upper limit for SPIs requested from the kernel for IPsec SAs.
    # spi_max = 0xcfffffff

    # The lower limit for SPIs requested from the kernel for IPsec SAs.
    # spi_min = 0xc0000000

    # Number of worker threads in charon.
    # threads = 16

    # Name of the user the daemon changes to after startup.
    # user =

    crypto_test {

        # Benchmark crypto algorithms and order them by efficiency.
        # bench = no

        # Buffer size used for crypto benchmark.
        # bench_size = 1024

        # Number of iterations to test each algorithm.
        # bench_time = 50

        # Test crypto algorithms during registration (requires test vectors
        # provided by the test-vectors plugin).
        # on_add = no

        # Test crypto algorithms on each crypto primitive instantiation.
        # on_create = no

        # Strictly require at least one test vector to enable an algorithm.
        # required = no

        # Whether to test RNG with TRUE quality; requires a lot of entropy.
        # rng_true = no

    }

    host_resolver {

        # Maximum number of concurrent resolver threads (they are terminated if
        # unused).
        # max_threads = 3

        # Minimum number of resolver threads to keep around.
        # min_threads = 0

    }

    leak_detective {

        # Includes source file names and line numbers in leak detective output.
        # detailed = yes

        # Threshold in bytes for leaks to be reported (0 to report all).
        # usage_threshold = 10240

        # Threshold in number of allocations for leaks to be reported (0 to
        # report all).
        # usage_threshold_count = 0

    }

    processor {

        # Section to configure the number of reserved threads per priority class
        # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
        priority_threads {

        }

    }

    # Section containing a list of scripts (name = path) that are executed when
    # the daemon is started.
    start-scripts {

    }

    # Section containing a list of scripts (name = path) that are executed when
    # the daemon is terminated.
    stop-scripts {

    }

    tls {

        # List of TLS encryption ciphers.
        # cipher =

        # List of TLS key exchange methods.
        # key_exchange =

        # List of TLS MAC algorithms.
        # mac =

        # List of TLS cipher suites.
        # suites =

    }

    x509 {

        # Discard certificates with unsupported or unknown critical extensions.
        # enforce_critical = yes

    }

}



More information about the Users mailing list