[strongSwan] Windows XP sends DELETE

Mark Himsley mark+strongswan at mdsh.com
Fri May 31 16:48:50 CEST 2019 

Dear StrongSwan List,


Can you help me work out why the IPSec connection across a corporate LAN
between the built-in IPSec "Local Security policy" on Windows XP and
StrongSwan on Ubuntu 16.04 is going down?


For reasons out of my hands, the company I work for runs some networked
software on Windows XP.

The system exists on a private corporate network, which thousands of
people in the company has access to.

The network communication to that software is unencrypted and TPTB
require that the data is encrypted on the wire.

For years I have had several OpenSwan installations working 24/7 but,
due to operating system upgrades I am required to make the same system
work on StrongSwan.

I've been hacking at a connection configuration file. I can get the
IPSec connection up, and I can send data in both directions using nc.

The problem I have is that the Windows XP host sends a DELETE after
about 40-80 seconds and the IPSec link goes down.

See this example:

May 31 15:16:27 zgbwcmdshapp002 charon: 00[DMN] Starting IKE charon
daemon (strongSwan 5.3.5, Linux 4.4.0-72-generic, x86_64)
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG] loading secrets from
'/etc/ipsec.d/bsd_newsjobfab02.secrets'
May 31 15:16:27 zgbwcmdshapp002 charon: 00[CFG]   loaded IKE secret for
%any 10.161.145.208
May 31 15:16:27 zgbwcmdshapp002 charon: 00[LIB] loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
socket-default connmark stroke updown
May 31 15:16:27 zgbwcmdshapp002 charon: 00[LIB] dropped capabilities,
running as uid 0, gid 0
May 31 15:16:27 zgbwcmdshapp002 charon: 00[JOB] spawning 16 worker threads
May 31 15:16:27 zgbwcmdshapp002 charon: 05[CFG] received stroke: add
connection 'bsd_newsjobfab02'
May 31 15:16:27 zgbwcmdshapp002 charon: 05[CFG] added configuration
'bsd_newsjobfab02'
May 31 15:16:27 zgbwcmdshapp002 charon: 07[CFG] received stroke:
initiate 'bsd_newsjobfab02'
May 31 15:16:27 zgbwcmdshapp002 charon: 07[IKE] initiating Main Mode
IKE_SA bsd_newsjobfab02[1] to 10.161.145.208
May 31 15:16:27 zgbwcmdshapp002 charon: 07[ENC] generating ID_PROT
request 0 [ SA V V V V ]
May 31 15:16:27 zgbwcmdshapp002 charon: 07[NET] sending packet: from
10.161.158.42[500] to 10.161.145.208[500] (188 bytes)
May 31 15:16:27 zgbwcmdshapp002 charon: 09[NET] received packet: from
10.161.145.208[500] to 10.161.158.42[500] (148 bytes)
May 31 15:16:27 zgbwcmdshapp002 charon: 09[ENC] parsed ID_PROT response
0 [ SA V V V ]
May 31 15:16:27 zgbwcmdshapp002 charon: 09[IKE] received MS NT5
ISAKMPOAKLEY vendor ID
May 31 15:16:27 zgbwcmdshapp002 charon: 09[IKE] received FRAGMENTATION
vendor ID
May 31 15:16:27 zgbwcmdshapp002 charon: 09[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 31 15:16:27 zgbwcmdshapp002 charon: 09[ENC] generating ID_PROT
request 0 [ KE No NAT-D NAT-D ]
May 31 15:16:27 zgbwcmdshapp002 charon: 09[NET] sending packet: from
10.161.158.42[500] to 10.161.145.208[500] (244 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 10[NET] received packet: from
10.161.145.208[500] to 10.161.158.42[500] (232 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 10[ENC] parsed ID_PROT response
0 [ KE No NAT-D NAT-D ]
May 31 15:16:28 zgbwcmdshapp002 charon: 10[ENC] generating ID_PROT
request 0 [ ID HASH N(INITIAL_CONTACT) ]
May 31 15:16:28 zgbwcmdshapp002 charon: 10[NET] sending packet: from
10.161.158.42[500] to 10.161.145.208[500] (100 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 11[NET] received packet: from
10.161.145.208[500] to 10.161.158.42[500] (68 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 11[ENC] parsed ID_PROT response
0 [ ID HASH ]
May 31 15:16:28 zgbwcmdshapp002 charon: 11[IKE] IKE_SA
bsd_newsjobfab02[1] established between
10.161.158.42[10.161.158.42]...10.161.145.208[10.161.145.208]
May 31 15:16:28 zgbwcmdshapp002 charon: 11[IKE] scheduling
reauthentication in 240s
May 31 15:16:28 zgbwcmdshapp002 charon: 11[IKE] maximum IKE_SA lifetime 300s
May 31 15:16:28 zgbwcmdshapp002 charon: 11[ENC] generating QUICK_MODE
request 1332971477 [ HASH SA No KE ID ID ]
May 31 15:16:28 zgbwcmdshapp002 charon: 11[NET] sending packet: from
10.161.158.42[500] to 10.161.145.208[500] (332 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 12[NET] received packet: from
10.161.145.208[500] to 10.161.158.42[500] (292 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 12[ENC] parsed QUICK_MODE
response 1332971477 [ HASH SA KE No ID ID ]
May 31 15:16:28 zgbwcmdshapp002 charon: 12[IKE] CHILD_SA
bsd_newsjobfab02{1} established with SPIs cdbb6f6c_i 7607d8a3_o and TS
10.161.158.42/32[tcp] === 10.161.145.208/32[tcp/2001]
May 31 15:16:28 zgbwcmdshapp002 charon: 12[ENC] generating QUICK_MODE
request 1332971477 [ HASH ]
May 31 15:16:28 zgbwcmdshapp002 charon: 12[NET] sending packet: from
10.161.158.42[500] to 10.161.145.208[500] (60 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 13[NET] received packet: from
10.161.145.208[500] to 10.161.158.42[500] (76 bytes)
May 31 15:16:28 zgbwcmdshapp002 charon: 13[ENC] parsed QUICK_MODE
response 1332971477 [ HASH N(INIT_CONTACT) ]
May 31 15:16:28 zgbwcmdshapp002 charon: 13[IKE] ignoring fourth Quick
Mode message

... I can send data in both directions at this point ...

May 31 15:17:55 zgbwcmdshapp002 charon: 07[NET] received packet: from
10.161.145.208[500] to 10.161.158.42[500] (84 bytes)
May 31 15:17:55 zgbwcmdshapp002 charon: 07[ENC] parsed INFORMATIONAL_V1
request 3336712608 [ HASH D ]
May 31 15:17:55 zgbwcmdshapp002 charon: 07[IKE] received DELETE for
IKE_SA bsd_newsjobfab02[1]
May 31 15:17:55 zgbwcmdshapp002 charon: 07[IKE] deleting IKE_SA
bsd_newsjobfab02[1] between
10.161.158.42[10.161.158.42]...10.161.145.208[10.161.145.208]


I'm watching both machines with tcpdump / wireshark and I'm confident
that the log above is consistent with the data being sent on the wire.


The connection config I'm using is this:

conn bsd_newsjobfab02
        auto=start
        authby=secret
        type=transport
        left=%defaultroute
        leftprotoport=tcp
        right=10.161.145.208
        rightprotoport=tcp/2001
        keyexchange=ikev1
        ike=aes128-sha1-modp1024,3des-sha1-modp1024!
        esp=aes128-sha1-modp1024,3des-sha1-modp1024!
        lifetime=10m
        ikelifetime=5m
        reauth=yes
        margintime=1m
        rekeyfuzz=10%
        rekey=yes


Can you help me get this connection to stay up?

Thanks in advance.

-- 
Mark Himsley

More information about the Users mailing list