[strongSwan] Stongswan and Meraki

Mark lists at grybm.com
Thu Mar 5 17:54:11 CET 2020



On 3/3/2020 4:09 AM, Michael Schwartzkopff wrote:
> On 26.02.20 23:50, Mark wrote:
>> Hi,
>>
>> I have a couple of random seeming problems between Meraki MX devices and
>> Strongswan via pfsense and I'm at a bit of a loss on how to gather more
>> information. Hoping for some pointers here
>>
>> Thanks
>>
>> Mark
>
> Please send logs of both sides during an outage.
>
> Mit freundlichen Grüßen,
>
Sure,

Part of my problem is how sparse the logs on the Meraki side are.


This is the lone log entry relating to the SPI that strongswan says was
just rekeyed and it comes about 30 seconds after the rekey. And the
Meraki attributes this to the wrong port, 500. I've confirmed in packet
captures that there are no packets leaving the strongswan machine on
port 500 at this time.

I don't see an IPSEC-SA Established message for this SPI.

Feb 19 13:22:05 	
	Non-Meraki / Client VPN negotiation 	msg: IPsec-SA expired: ESP/Tunnel
StrongSwan[500]->Meraki[500] spi=70683595(0x4368bcb)



On the pfsense side, I see 


Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> CHILD_SA
con41000{27919} state change: INSTALLED => REKEYING
Feb 19 13:21:35 pfsense charon: 16[IKE] <con41000|3509> queueing
QUICK_MODE task
Feb 19 13:21:35 pfsense charon: 16[IKE] <con41000|3509> activating new tasks
Feb 19 13:21:35 pfsense charon: 16[IKE] <con41000|3509> activating
QUICK_MODE task
Feb 19 13:21:35 pfsense charon: 16[ENC] <con41000|3509> generating
QUICK_MODE request 2820287288 [ HASH SA No ID ID ]
Feb 19 13:21:35 pfsense charon: 16[NET] <con41000|3509> sending packet:
from StrongSwan[4500] to Meraki[4500] (188 bytes)
Feb 19 13:21:35 pfsense charon: 16[NET] <con41000|3509> received packet:
from Meraki[4500] to StrongSwan[4500] (172 bytes)
Feb 19 13:21:35 pfsense charon: 16[ENC] <con41000|3509> parsed
QUICK_MODE response 2820287288 [ HASH SA No ID ID ]
Feb 19 13:21:35 pfsense charon: 16[CFG] <con41000|3509> selected
proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> CHILD_SA
con41000{27976} state change: CREATED => INSTALLING
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> using AES_CBC
for encryption
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> using
HMAC_SHA1_96 for integrity
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> adding inbound
ESP SA
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> SPI 0xc57cb1e0,
src Meraki dst StrongSwan
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> adding outbound
ESP SA
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> SPI 0x04368bcb,
src StrongSwan dst Meraki
Feb 19 13:21:35 pfsense charon: 16[IKE] <con41000|3509> CHILD_SA
con41000{27976} established with SPIs c57cb1e0_i 04368bcb_o and TS
10.10.58.0/24|/0 === 10.41.1.0/24|/0
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> CHILD_SA
con41000{27976} state change: INSTALLING => INSTALLED
Feb 19 13:21:35 pfsense charon: 16[CHD] <con41000|3509> CHILD_SA
con41000{27919} state change: REKEYING => REKEYED
Feb 19 13:21:35 pfsense charon: 16[IKE] <con41000|3509> reinitiating
already active tasks
Feb 19 13:21:35 pfsense charon: 16[IKE] <con41000|3509> QUICK_MODE task
Feb 19 13:21:35 pfsense charon: 16[ENC] <con41000|3509> generating
QUICK_MODE request 2820287288 [ HASH ]
Feb 19 13:21:35 pfsense charon: 16[NET] <con41000|3509> sending packet:
from StrongSwan[4500] to Meraki[4500] (60 bytes)

Feb 19 13:21:39 pfsense charon: 10[NET] <con41000|3509> received packet:
from Meraki[4500] to StrongSwan[4500] (92 bytes)
Feb 19 13:21:39 pfsense charon: 10[ENC] <con41000|3509> parsed
INFORMATIONAL_V1 request 3697651456 [ HASH N(DPD) ]
Feb 19 13:21:39 pfsense charon: 10[IKE] <con41000|3509> queueing
ISAKMP_DPD task
Feb 19 13:21:39 pfsense charon: 10[IKE] <con41000|3509> activating
ISAKMP_DPD task
Feb 19 13:21:39 pfsense charon: 10[ENC] <con41000|3509> generating
INFORMATIONAL_V1 request 590966734 [ HASH N(DPD_ACK) ]
Feb 19 13:21:39 pfsense charon: 10[NET] <con41000|3509> sending packet:
from StrongSwan[4500] to Meraki[4500] (92 bytes)
Feb 19 13:21:45 pfsense charon: 13[IKE] <con41000|3509> sending DPD request
Feb 19 13:21:45 pfsense charon: 13[IKE] <con41000|3509> queueing
ISAKMP_DPD task
Feb 19 13:21:45 pfsense charon: 13[IKE] <con41000|3509> activating new tasks
Feb 19 13:21:45 pfsense charon: 13[IKE] <con41000|3509> activating
ISAKMP_DPD task
Feb 19 13:21:45 pfsense charon: 13[ENC] <con41000|3509> generating
INFORMATIONAL_V1 request 636601268 [ HASH N(DPD) ]
Feb 19 13:21:45 pfsense charon: 13[NET] <con41000|3509> sending packet:
from StrongSwan[4500] to Meraki[4500] (92 bytes)
Feb 19 13:21:45 pfsense charon: 13[IKE] <con41000|3509> activating new tasks
Feb 19 13:21:45 pfsense charon: 13[IKE] <con41000|3509> nothing to initiate
Feb 19 13:21:45 pfsense charon: 13[NET] <con41000|3509> received packet:
from Meraki[4500] to StrongSwan[4500] (172 bytes)
Feb 19 13:21:45 pfsense charon: 13[IKE] <con41000|3509> received
retransmit of response with ID 2820287288, but next request already sent
Feb 19 13:21:45 pfsense charon: 13[NET] <con41000|3509> received packet:
from Meraki[4500] to StrongSwan[4500] (92 bytes)
Feb 19 13:21:45 pfsense charon: 13[ENC] <con41000|3509> parsed
INFORMATIONAL_V1 request 2399362346 [ HASH N(DPD_ACK) ]

At a network level, I'm wondering if a packet isn't getting to the
Meraki side. Perhaps a packet that is supposed to confirm the
establishment of the SPI. It's very difficult to capture traffic on the
meraki side when this problem is happening so I can't confirm this.

If anyone has any pointers packet analysis for IPSEC, that would be
appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200305/720e1b21/attachment-0001.html>


More information about the Users mailing list