[strongSwan] Stongswan and Meraki
ms at sys4.de
Tue Mar 3 10:09:03 CET 2020
On 26.02.20 23:50, Mark wrote:
> I have a couple of random seeming problems between Meraki MX devices and
> Strongswan via pfsense and I'm at a bit of a loss on how to gather more
> information. Hoping for some pointers here
> The Meraki side is their latest firmware and the pfsense is running
> FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10. I have several sets of
> these vpn's but the most problematic one has around 40 phase 1 peers,
> each with 2 or 3 phase 2 configurations, this is on a single pfsense
> instance with the 40 phase 1 peers being mx devices on the internet.
> These are all IKEv1 configurations.
> For the most part, we have solid and reliable VPN's among the devices,
> but sometimes the two endpoints appear to get out of sync. This can
> happen every few days or it can happen every couple of hours.
> I see instances of the strongswan side successfully rekeying, but the
> Meraki side logging an SPI expiration and never having logged an
> established event for that same SPI. The result is that the pfsense side
> will send traffic forever but the MX apparently just discards the
> incoming traffic.
> In other instances, I will see sometimes 5 or 6 phase 2 SPI pairs for
> the same network set on the same conneciton
> In either of these two cases, my operational symptom will be that
> traffic is not passing. In both cases, an ipsec down connection &&
> ipsec up connection makes traffic flow again.
> I've engaged Meraki many times including as the problems are happening,
> and I always get an inconclusive answer/ no answer.
> This is an example config, they're generally all the same for the
> different phase 1 and phase 2 connections
> conn con1000
> fragmentation = yes
> keyexchange = ikev1
> reauth = yes
> forceencaps = yes
> mobike = no
> rekey = yes
> installpolicy = yes
> type = tunnel
> dpdaction = restart
> dpddelay = 10s
> dpdtimeout = 60s
> auto = route
> left = leftnet
> right = rghtnet
> leftid = leftid
> ikelifetime = 28800s
> lifetime = 3600s
> ike = aes256-sha1-modp1024!
> esp = aes256-sha1,aes192-sha1,aes128-sha1!
> leftauth = psk
> rightauth = psk
> rightid = rightid
> aggressive = no
> rightsubnet = 10.1.1.0/24
> leftsubnet = 10.10.1.0/24
> I suspect that some of my problems might be related to delivery problems
> for the encapsulated packets over the internet but I don't know how I
> can go about knowing that. I have the ability to capture packets on the
> wan side of the pfsense/strongswan devices, but I don't quite know what
> I'm looking for in the network traffic.
> Any pointers to help me get the data I need to make these tunnels way
> more reliable?
Please send logs of both sides during an outage.
Mit freundlichen Grüßen,
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: OpenPGP digital signature
More information about the Users