[strongSwan] VPN with sophos: remote deletes child SAs

Michael Schwartzkopff ms at sys4.de
Fri Mar 15 16:34:06 CET 2019 

Hi,


we see a strange problem when trying to establish a VPN to a sophos.
Initially strongswan sets up the the child SAs:


charon: 10[NET] received packet: from x.x.x.x[500] to y.y.y.y[500] (1902
bytes)
charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]
charon: 10[IKE] x.x.x.x is initiating an IKE_SA
charon: 10[IKE] remote host is behind NAT
charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon: 10[NET] sending packet: from y.y.y.y[500] to x.x.x.x[500] (1208
bytes)
charon: 12[NET] received packet: from x.x.x.x[24289] to y.y.y.y[4500]
(352 bytes)
charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
charon: 12[CFG] looking for peer configs matching <deleted>
charon: 12[CFG] selected peer config 'deleted'
charon: 12[IKE] authentication of 'remotehost' with pre-shared key
successful
charon: 12[IKE] authentication of 'y.y.y.y' (myself) with pre-shared key
charon: 12[IKE] IKE_SA profi[4] established between x.x.x.x and y.y.y.y

charon: 12[IKE] scheduling reauthentication in 10211s
charon: 12[IKE] maximum IKE_SA lifetime 10751s
charon: 12[IKE] CHILD_SA deleted{4} established with SPIs c8e82c4a_i
cb8713c3_o and TS y.y.y.y/32 === rightsubnet/24
charon: 12[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
N(AUTH_LFT) ]
charon: 12[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[24289]
(224 bytes)


But then the remote side deletes us the nice new SPIs


charon: 14[NET] received packet: from x.x.x.x[24289] to y.y.y.y[4500]
(80 bytes)
charon: 14[ENC] parsed INFORMATIONAL request 2 [ D ]
charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI cb8713c3
charon: 14[IKE] closing CHILD_SA profi{4} with SPIs c8e82c4a_i (0 bytes)
cb8713c3_o (0 bytes) and TS y.y.y.y/32 === rightsubnet/24
charon: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c8e82c4a
charon: 14[IKE] CHILD_SA closed


I don't know what we misconfigured on the sophos side. I think we
configured both subnets on their side also.


Any additional ideas?

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190315/7a628d46/attachment.sig>

More information about the Users mailing list