[strongSwan] erratic disconnects from Alcatel DeskPhone VPN clients (reassigning online vs. offline lease)

Grischa Stegemann gs at plusline.de
Wed Dec 2 17:07:37 CET 2020 

Hello again

Quick follow-up from myself:
We have narrowed the problem down to the reauthentication of the IKEv2 SA.

New findings: Alcatel DeskPhones are running Strongwan with following 
parameters:

   vpn: IKEv2, reauthentication every 3600s, no rekeying
   local:  172.20.2.56
   remote: Y.Y.Y.132
   local EAP_MSCHAPV2 authentication:
     eap_id: phone at mydomain
   local pre-shared key authentication:
   remote pre-shared key authentication:
   vpn1: TUNNEL, rekeying every 1080s
     local:  dynamic
     remote: 0.0.0.0/0
   dhcp: PASS, no rekeying
     local:  dynamic
     remote: 0.0.0.0/0[udp/bootps]
   lan: PASS, no rekeying
     local:  dynamic
     remote: 172.20.2.0/24

The option Make-before-break is enabled as well on the client as on our 
server.

The case in which the phone is getting confused and starting to reboot 
is when it gets a new virtual ip address from our responder during the 
re-authentication.

On many occasions everything is going fine and the client is getting the 
same virtual address again (reassigning online lease):

Dec  2 03:24:08 06[IKE] <ALCATEL-IKEV2|846> peer requested virtual IP 
10.197.200.6
Dec  2 03:24:08 06[CFG] <ALCATEL-IKEV2|846> reassigning online lease to 
'192.168.178.39'
Dec  2 03:24:08 06[IKE] <ALCATEL-IKEV2|846> assigning virtual IP 
10.197.200.6 to peer '192.168.178.39'

But in some cases our server is ignoring the client's request and 
assigns a different virtual address (reassigning offline lease):

Dec  2 03:42:16 06[IKE] <ALCATEL-IKEV2|864> peer requested virtual IP 
10.197.200.33
Dec  2 03:42:16 06[CFG] <ALCATEL-IKEV2|864> reassigning offline lease to 
'192.168.0.109'
Dec  2 03:42:16 06[IKE] <ALCATEL-IKEV2|864> assigning virtual IP 
10.197.200.55 to peer '192.168.0.109'

So far we cannot find any explanation for when or why the server is 
assigning a new virtual ip address in these cases.

What is the exact ID of the client the server uses to recognize the 
client for re-assignment of the former virtual address. Is it the 
combination of clients private address, public NAT address and source port?
We have checked whether any of these values changed where the 
re-assignment failed. But they have remained unchanged all the time.

What might be the reason for assigning offline versus online lease?

Best regards
Grischa

More information about the Users mailing list