[strongSwan] Stongswan and Meraki

[Michael Schwartzkopff]

On 26.02.20 23:50, Mark wrote:
> Hi,
>
> I have a couple of random seeming problems between Meraki MX devices and
> Strongswan via pfsense and I'm at a bit of a loss on how to gather more
> information. Hoping for some pointers here
>
> The Meraki side is their latest firmware and the pfsense is running
> FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10. I have several sets of
> these vpn's but the most problematic one has around 40 phase 1 peers,
> each with 2 or 3 phase 2 configurations, this is on a single pfsense
> instance with the 40 phase 1 peers being mx devices on the internet.
>
> These are all IKEv1 configurations.
>
> For the most part, we have solid and reliable VPN's among the devices,
> but sometimes the two endpoints appear to get out of sync. This can
> happen every few days or it can happen every couple of hours.
>
> I see instances of the strongswan side successfully rekeying, but the
> Meraki side logging an SPI expiration and never having logged an
> established event for that same SPI. The result is that the pfsense side
> will send traffic forever but the MX apparently just discards the
> incoming traffic.
>
> In other instances, I will see sometimes 5 or 6 phase 2 SPI pairs for
> the same network set on the same conneciton
>
> In either of these two cases, my operational symptom will be that
> traffic is not passing.  In both cases, an ipsec down connection &&
> ipsec up connection makes traffic flow again.
>
> I've engaged Meraki many times including as the problems are happening,
> and I always get an inconclusive answer/ no answer.
>
> This is an example config, they're generally all the same for the
> different phase 1 and phase 2 connections
>
> conn con1000
>         fragmentation = yes
>         keyexchange = ikev1
>         reauth = yes
>         forceencaps = yes
>         mobike = no
>
>         rekey = yes
>         installpolicy = yes
>         type = tunnel
>         dpdaction = restart
>         dpddelay = 10s
>         dpdtimeout = 60s
>         auto = route
>         left = leftnet
>         right = rghtnet
>         leftid = leftid
>         ikelifetime = 28800s
>         lifetime = 3600s
>         ike = aes256-sha1-modp1024!
>         esp = aes256-sha1,aes192-sha1,aes128-sha1!
>         leftauth = psk
>         rightauth = psk
>         rightid = rightid
>         aggressive = no
>         rightsubnet = 10.1.1.0/24
>         leftsubnet = 10.10.1.0/24
>
>
> I suspect that some of my problems might be related to delivery problems
> for the encapsulated packets over the internet but I don't know how I
> can go about knowing that. I have the ability to capture packets on the
> wan side of the pfsense/strongswan devices, but I don't quite know what
> I'm looking for in the network traffic.
>
> Any pointers to help me get the data I need to make these tunnels way
> more reliable?
>
> Thanks
>
> Mark


Please send logs of both sides during an outage.

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200303/d738a442/attachment-0001.sig>