[strongSwan] Help: recurring network loss between hosts

teq1uila-strongswan at yahoo.com teq1uila-strongswan at yahoo.com
Thu May 9 10:57:22 CEST 2019 

Hello,

I'm using strongswan for a couple of years now, and I'm facing a recurring strange behavior, very difficult to track as I'm not that fluent in IPSEC configuration.

The network often goes down between hosts, without any reason, and not always in both ways (host1=>host2 may stopped working, with host2=>host1 still working).
The only solution I found is to restart strongswan on all servers, but I'm sure this is a very bad solution :)

If someone can have a rapid look at the following in case something is so evident I should have noticed it...
I'm also interresting in a way to analyze the situation, if it helps.

My goal is to have specific hosts communicating together with IPSEC encryption.
Let say with 3 hosts host1, host2 and host3:
- host1 <=> host2 encrypted
- host1 <=> host3 encrypted
- host2 <=> host3 encrypted
All hosts have 2 network cards, one connected to the network (192.*), and on on a private network (10.*)

NOTE: due to a required compatbility with Windows, I'm still using IKEv1 and not v2.

To achieve this, I've just installed strongswan (strongswan-5.6.1-2.el7.x86_64) on all servers, generate a certificate for each host (from a common CA), and configured ipsec.conf and ipsec.secrets file.
All configuration files are the the same on all 3 servers, changing only the according IP and host names, of course.
- /etc/strongswan/ipsec.d/cacerts/ca.crt : the CA
- /etc/strongswan/ipsec.d/certs/server.crt : the host public key
- /etc/strongswan/ipsec.d/private/server.key : the host private key
- /etc/strongswan/ipsec.secrets
: RSA server.key
- /etc/strongswan/ipsec.conf (for host1)
config setup
        uniqueids = no
conn "AutoConfig Enc host1"
        auto=ignore
        type=transport
        keyexchange=ikev1
        authby=rsasig
        ike=aes256-sha256-modp2048!
        esp=aes256gcm128-aes256gmac-modp2048!
        ikelifetime=8h
        lifetime=1h
        lifebytes=10000000000
        leftcert=server-host1.crt
        leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1, E=user at host.com"
conn "AutoConfig Enc host1-1"
        auto=ignore
        type=transport
        keyexchange=ikev1
        authby=rsasig
        ike=aes256-sha256-modp2048!
        esp=aes256gcm128-aes256gmac-modp2048!
        ikelifetime=8h
        lifetime=1h
        lifebytes=10000000000
        leftcert=server-host1-1.crt
        leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1-1, E=user at host.com"
conn "AutoConfig tcp host1:* <-> host2:*"
        also="AutoConfig Enc host1"
        auto=route
        left=190.0.0.1
        leftsubnet=190.0.0.1[tcp/%any]
        right=190.0.0.2
        rightsubnet=190.0.0.2[tcp/%any]
        rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2, E=user at host.com"
conn "AutoConfig tcp host1:* <-> host3:*"
        also="AutoConfig Enc host1"
        auto=route
        left=190.0.0.1
        leftsubnet=190.0.0.1[tcp/%any]
        right=190.0.0.3
        rightsubnet=190.0.0.3[tcp/%any]
        rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3, E=user at host.com"
conn "AutoConfig tcp host1-1:* <-> host2-1:*"
        also="AutoConfig Enc host1-1"
        auto=route
        left=10.0.0.1
        leftsubnet=10.0.0.1[tcp/%any]
        right=10.0.0.2
        rightsubnet=10.0.0.2[tcp/%any]
        rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2-1, E=user at host.com"
conn "AutoConfig tcp host1-1:* <-> host3-1:*"
        also="AutoConfig Enc host1-1"
        auto=route
        left=10.0.0.1
        leftsubnet=10.0.0.1[tcp/%any]
        right=10.0.0.3
        rightsubnet=10.0.0.3[tcp/%any]
        rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3-1, E=user at host.com"

#iptables -S (for host1)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -s 190.0.0.2/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -s 190.0.0.3/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -s 10.0.0.2/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -s 10.0.0.3/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Many thanks,
Christian

More information about the Users mailing list