[strongSwan] Services unreachable after first connection

Tobias Brunner tobias at strongswan.org
Wed Jun 10 10:40:35 CEST 2020

Hi Tas,

> If I stop the nmap loop cycle after a few ldapsearch runs I got
> problems, connection to ldap stuck and nmap test returns 389 port filtered.

Are new TCP connections created or is the same connection used for
several searches?  Are there constantly packets exchanged in these
tests?  If not, for how long is there no traffic?

> I noticed that 389 port result unreachable for exactly 300 second, after
> that nmap detects it open again.

Interesting.  Maybe some 5 minute client-IP block after certain traffic
patterns?  Or perhaps some timeout.

> I added some debug parameters to my ipsec.conf file (charondebug="ike 2,
> knl 2, cfg 2") but I didn't noticed something significant when the ldap
> connection get stuck or opens again after 5 minutes.

OK, so no MOBIKE update or DPD or rekeying.

> Can be anything related to some dpd or keepalive feature? 

Depends on what exactly is going on.  It definitely sounds like a
firewall issue (either affecting the ESP packets or traffic after the
tunnel).  You'd have to debug where exactly packets get stuck (e.g.
whether ESP packets are sent, if they reach the peer or where they are
dropped, how far decrypted TCP packets get, if a response is sent, if
that's encapsulated in ESP again, where those may get dropped and so
on).  Use packet counters or captures to do so.


More information about the Users mailing list