[strongSwan] ikev2: Tunnel established inspite of different phase 2 DH group

Makarand Pradhan MakarandPradhan at is5com.com
Thu Apr 2 17:47:32 CEST 2020 

Hi Tobias,

As mentioned on the Wiki, I am trying to rekey using swanctl. The connections continues to stay up even after I perform a rekey.

Is there a way I can force a CHILD_SA delete when the Proposal mismatch occurs?

Log:
Initiate rekey:
root at t1024rdb:/usr/local/etc# !swan
swanctl -R -P -i m1 -c m1
rekey reply {
  success = yes
  matches = 1
}

The tunnel status ESTABLISHED/INSTALLED:
root at t1024rdb:/usr/local/etc# ipsec statusall m1
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
  uptime: 14 minutes, since Apr 02 11:40:38 2020
  malloc: sbrk 2297856, mmap 0, used 408224, free 1889632
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 63
  loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  10.10.5.1
  192.168.51.2
  192.168.52.2
  91.0.0.2
Connections:
          m1:  91.0.0.2...91.0.0.3  IKEv2
          m1:   local:  [m1_91.0.0.2] uses pre-shared key authentication
          m1:   remote: [m1_91.0.0.3] uses pre-shared key authentication
          m1:   child:  192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24 TUNNEL
Security Associations (2 up, 0 connecting):
          m1[13]: ESTABLISHED 25 seconds ago, 91.0.0.2[m1_91.0.0.2]...91.0.0.3[m1_91.0.0.3]
          m1[13]: IKEv2 SPIs: bb0b3c94b4a1087e_i* 60383db9c4be318c_r, pre-shared key reauthentication in 13 minutes
          m1[13]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
          m1{2038}:  INSTALLED, TUNNEL, reqid 13, ESP SPIs: c4a03d41_i ce69b3f6_o
          m1{2038}:  AES_CBC_256/HMAC_SHA2_256_128, 2016 bytes_i (24 pkts, 0s ago), 2016 bytes_o (24 pkts, 0s ago), rekeying active
          m1{2038}:   192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24

I do see that the rekey fails due to Proposal mismatch in the DH group:

Swanctl --log:

10[IKE] establishing CHILD_SA m1{2666} reqid 9
10[ENC] generating CREATE_CHILD_SA request 121 [ N(REKEY_SA) SA No KE TSi TSr ]
10[NET] sending packet: from 91.0.0.2[500] to 91.0.0.3[500] (368 bytes)
11[NET] received packet: from 91.0.0.3[500] to 91.0.0.2[500] (96 bytes)
11[ENC] parsed CREATE_CHILD_SA response 121 [ N(NO_PROP) ]
11[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
11[IKE] failed to establish CHILD_SA, keeping IKE_SA
11[IKE] CHILD_SA rekeying failed, trying again in 12 seconds
14[NET] received packet: from 91.0.0.3[500] to 91.0.0.2[500] (528 bytes)
14[ENC] parsed CREATE_CHILD_SA request 48 [ N(REKEY_SA) SA No KE TSi TSr ]
14[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
14[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_768/NO_EXT_SEQ
14[IKE] no acceptable proposal found
14[IKE] failed to establish CHILD_SA, keeping IKE_SA


Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Makarand Pradhan
Sent: April 2, 2020 8:53 AM
To: Tobias Brunner <tobias at strongswan.org>; users at lists.strongswan.org
Subject: Re: [strongSwan] ikev2: Tunnel established inspite of different phase 2 DH group

Good morning Tobias,

Appreciate your confirmation.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org> 
Sent: April 2, 2020 4:46 AM
To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] ikev2: Tunnel established inspite of different phase 2 DH group

Hi Makarand,

> Is the system behaving correctly? i.e. the DH group is used only during reneg after expiry of lifetime?

Yes, see [1].

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2

More information about the Users mailing list