[strongSwan] New IPSec tunnels brings down active tunnels

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 10 20:26:04 CET 2020


Hello Eric,

Please don't unnecessarily censor the emails and follow the guide on the HelpRequests[1] page (particularly the bit about the logs).
Also your logging is way too verbose for anything useful.

Kind regards

Noel

[1] http://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 10.01.20 um 17:33 schrieb Eric.Zaluzec at vertiv.com:
> Using StrongSwan v5.7.1 on an embedded Linux system, I have an ipsec network setup where multiple devices(workers) will create tunnels to a single device(master). I’m having trouble with a scenario where when a new device(worker) comes online and a tunnel is created to the master device, the previously connected tunnels go down. A dpdaction to restart on previously connected tunnels will re-establish the previously connected tunnels, but then that new device tunnel goes down. This creates a loop where tunnels are continuous going down and up, and the tunnels are never stable and all up at once. Running an `ipsec update` or `ipsec reload` on the master device does not change this tunnel down/up loop.
> 
>  
> 
> I’m using Systemd to run the strongswan service. I’ve found that a `systemctl restart strongswan` on the master device will stop the continuous down/up of tunnels. I can script the master device to run `systemctl restart strongswan` after new devices(workers) establish a tunnel; however if one of the multiple devices(workers) happens to reboot, then after the reboot, the device tunnel to master device will cause all existing to master to drop once again. Writing a service on the master device to detect when worker devices reboot and to restart strongswan is not as feasible. 
> 
>  
> 
> Has anyone ran into a similar issue and can help suggest what is a good course of action to take? I’m not sure if I am missing something in my ipsec configuration. Any suggestions or feedback would be helpful and greatly appreciated!
> 
>  
> 
> Here is what my ipsec.conf files look like from master device & worker device:
> 
>  
> 
> # Master ipsec.conf
> 
>                 config setup
> 
>                                                 strictcrlpolicy=no
> 
>                                                 charondebug="ike 4, knl 4, cfg 2"
> 
>                                                 uniqueids = no
> 
>                 conn %default
> 
>                                                 rekey=no
> 
>                                                 ike=aes256-sha256-modp2048
> 
>                                                 esp=aes256-sha256-modp2048
> 
>                                                 auto=start
> 
>                                                 dpddelay=30
> 
>                                                 dpdtimeout=120
> 
>                                                 dpdaction=restart
> 
>                 conn tunnel10.207.15.85-10.207.15.70
> 
>                                                 keyexchange=ikev2
> 
>                                                 left=10.207.15.85
> 
>                                                 leftsubnet=
> 
>                                                 leftcert=peerCert.pem
> 
>                                                 right=10.207.15.70
> 
>                                                 rightsubnet=
> 
>                                                 leftid="C=US, O=Vertiv, CN=peer"
> 
>                                                 rightid="C=US, O=Vertiv, CN=peer"
> 
>                 conn tunnel10.96.0.1-10.207.15.70
> 
>                                                 keyexchange=ikev2
> 
>                                                 left=10.207.15.85
> 
>                                                 leftsubnet=10.96.0.1
> 
>                                                 leftcert=peerCert.pem
> 
>                                                 right=10.207.15.70
> 
>                                                 rightsubnet=
> 
>                                                 leftid="C=US, O=Vertiv, CN=peer"
> 
>                                                 rightid="C=US, O=Vertiv, CN=peer"
> 
>                 conn tunnel10.207.15.85-10.207.15.23
> 
>                                                 keyexchange=ikev2
> 
>                                                 left=10.207.15.85
> 
>                                                 leftsubnet=
> 
>                                                 leftcert=peerCert.pem
> 
>                                                 right=10.207.15.23
> 
>                                                 rightsubnet=
> 
>                                                 leftid="C=US, O=Vertiv, CN=peer"
> 
>                                                 rightid="C=US, O=Vertiv, CN=peer"
> 
>                 conn tunnel10.96.0.1-10.207.15.23
> 
>                                                 keyexchange=ikev2
> 
>                                                 left=10.207.15.85
> 
>                                                 leftsubnet=10.96.0.1
> 
>                                                 leftcert=peerCert.pem
> 
>                                                 right=10.207.15.23
> 
>                                                 rightsubnet=
> 
>                                                 leftid="C=US, O=Vertiv, CN=peer"
> 
>                                                 rightid="C=US, O=Vertiv, CN=peer"
> 
>  
> 
>                                                
> 
> # Worker ipsec.conf
> 
>                 config setup
> 
>                                                 strictcrlpolicy=no
> 
>                                                 charondebug="ike 4, knl 4, cfg 2"
> 
>                                                 uniqueids = no
> 
>                 conn %default
> 
>                                                 rekey=no
> 
>                                                 ike=aes256-sha256-modp2048
> 
>                                                 esp=aes256-sha256-modp2048
> 
>                                                 auto=start
> 
>                                                 dpddelay=30
> 
>                                                 dpdtimeout=120
> 
>                                                 dpdaction=restart
> 
>                 conn tunnel10.207.15.85-10.207.15.70
> 
>                                                 keyexchange=ikev2
> 
>                                                 right=10.207.15.85
> 
>                                                 rightsubnet=
> 
>                                                 left=10.207.15.70
> 
>                                                 leftsubnet=
> 
>                                                 leftcert=peerCert.pem
> 
>                                                 leftid="C=US, O=Vertiv, CN=peer"
> 
>                                                 rightid="C=US, O=Vertiv, CN=peer"
> 
>                 conn tunnel10.96.0.1-10.207.15.70
> 
>                                                 keyexchange=ikev2
> 
>                                                 right=10.207.15.85
> 
>                                                 rightsubnet=10.96.0.1
> 
>                                                 left=10.207.15.70
> 
>                                                 leftsubnet=
> 
>                                                 leftcert=peerCert.pem
> 
>                                                 leftid="C=US, O=Vertiv, CN=peer"
> 
>                                                 rightid="C=US, O=Vertiv, CN=peer"
> 
> CONFIDENTIALITY NOTICE: This e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and may contain confidential and privileged information protected by law. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of the e-mail is strictly prohibited. Please notify the sender immediately by return e-mail and delete all copies from your system.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200110/2940d55f/attachment.sig>


More information about the Users mailing list