[strongSwan] Stongswan and Meraki
Mark
listsr at grybm.com
Wed Feb 26 23:50:16 CET 2020
Hi,
I have a couple of random seeming problems between Meraki MX devices and
Strongswan via pfsense and I'm at a bit of a loss on how to gather more
information. Hoping for some pointers here
The Meraki side is their latest firmware and the pfsense is running
FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10. I have several sets of
these vpn's but the most problematic one has around 40 phase 1 peers,
each with 2 or 3 phase 2 configurations, this is on a single pfsense
instance with the 40 phase 1 peers being mx devices on the internet.
These are all IKEv1 configurations.
For the most part, we have solid and reliable VPN's among the devices,
but sometimes the two endpoints appear to get out of sync. This can
happen every few days or it can happen every couple of hours.
I see instances of the strongswan side successfully rekeying, but the
Meraki side logging an SPI expiration and never having logged an
established event for that same SPI. The result is that the pfsense side
will send traffic forever but the MX apparently just discards the
incoming traffic.
In other instances, I will see sometimes 5 or 6 phase 2 SPI pairs for
the same network set on the same conneciton
In either of these two cases, my operational symptom will be that
traffic is not passing. In both cases, an ipsec down connection &&
ipsec up connection makes traffic flow again.
I've engaged Meraki many times including as the problems are happening,
and I always get an inconclusive answer/ no answer.
This is an example config, they're generally all the same for the
different phase 1 and phase 2 connections
conn con1000
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = yes
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = leftnet
right = rghtnet
leftid = leftid
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha1-modp1024!
esp = aes256-sha1,aes192-sha1,aes128-sha1!
leftauth = psk
rightauth = psk
rightid = rightid
aggressive = no
rightsubnet = 10.1.1.0/24
leftsubnet = 10.10.1.0/24
I suspect that some of my problems might be related to delivery problems
for the encapsulated packets over the internet but I don't know how I
can go about knowing that. I have the ability to capture packets on the
wan side of the pfsense/strongswan devices, but I don't quite know what
I'm looking for in the network traffic.
Any pointers to help me get the data I need to make these tunnels way
more reliable?
Thanks
Mark
More information about the Users
mailing list