[strongSwan] erratic disconnects from Alcatel DeskPhone VPN clients
Grischa Stegemann
gs at plusline.de
Mon Nov 30 12:11:15 CET 2020
Hello All
This is a follow-up to my problem with a bunch of Alcatel DeskPhones 8058s connecting to our StrongSwan using their built-in IPsec client with IKEv2 + MS-CHAP/EAP + PSK:
https://lists.strongswan.org/pipermail/users/2020-October/014761.html
After a successful test period with a small number of clients we started to bring more phones into production.
And now we see connections dropping every now and then followed by a reboot of the corresponding client phone.
We are not able to get any logging output from the phones. Their manual says that we need to have SA lifetimes > 60 minutes otherwise we might see the phones rebooting every hour. Of course we have specified long lifetimes for IKEv2 and IPSec, even tried to use 0 (unlimited) as well.
There is another hint in the phone's manual advising to configure a static virtual IP address in the VPN configuration of the phone in case of periodically rebooting phones.
So far I have not figured out how to set up our configuration to allow the IP address specified by the phones.
Below I have attached the complete log of the corresponding SA from its' initial installation at 9:07, doing a clean rekeying every 15min and then all of a sudden we are receiving a DELETE at 10:05 roughly 60minutes after the installation of the SA. After that the phone is going into a reboot cycle.
Two questions:
Does anyone have an idea about what might be going on in the phone's IPsec client? I assume that it might be a StrongSwan implementation as well but I do not know for sure.
Is there a way to use the eap_id received from the phone as the general remote id in order to configure a separate connection for a specific client (and to see it as the remote identifier in swanctl -l output)?
Thanks a whole lot in advance.
Regards
Grischa
connections {
ALCATEL-IKEV2 {
local_addrs = 0.0.0.0/0
remote_addrs = 0.0.0.0/0
pools = client_pool
version = 2
encap = yes
proposals = aes256-sha256-prfsha256-modp4096,aes256-sha256-prfsha256-modp2048s256,aes256-sha256-prfsha256-modp2048,aes256-sha1-modp1024,
dpd_delay = 90s
rekey_time = 12h
local {
id = @sipvpn.mydomain
auth = psk
}
remote-eap {
round = 0
eap_id = %any
auth = eap-mschapv2
}
remote-psk {
round = 1
id = %any
auth = psk
}
children {
ALCATEL-IPSEC {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256-modp4096,aes256-sha256,aes256-sha1,3des-sha1
rekey_time = 90m
}
}
Nov 30 09:07:47 11[CFG] <ALCATEL-IKEV2|994> selected peer config 'ALCATEL-IKEV2'
Nov 30 09:07:47 11[IKE] <ALCATEL-IKEV2|994> initiating EAP_IDENTITY method (id 0x00)
Nov 30 09:07:47 11[IKE] <ALCATEL-IKEV2|994> peer supports MOBIKE
Nov 30 09:07:47 11[IKE] <ALCATEL-IKEV2|994> authentication of 'sipvpn.mydomain' (myself) with pre-shared key
Nov 30 09:07:47 11[ENC] <ALCATEL-IKEV2|994> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Nov 30 09:07:47 11[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (160 bytes)
Nov 30 09:07:48 08[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (96 bytes)
Nov 30 09:07:48 08[ENC] <ALCATEL-IKEV2|994> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Nov 30 09:07:48 08[IKE] <ALCATEL-IKEV2|994> received EAP identity 'phone10 at mydomain'
Nov 30 09:07:48 08[IKE] <ALCATEL-IKEV2|994> initiating EAP_MSCHAPV2 method (id 0x9C)
Nov 30 09:07:48 08[ENC] <ALCATEL-IKEV2|994> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov 30 09:07:48 08[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (112 bytes)
Nov 30 09:07:48 13[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (144 bytes)
Nov 30 09:07:48 13[ENC] <ALCATEL-IKEV2|994> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov 30 09:07:48 13[ENC] <ALCATEL-IKEV2|994> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov 30 09:07:48 13[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (144 bytes)
Nov 30 09:07:48 09[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (80 bytes)
Nov 30 09:07:48 09[ENC] <ALCATEL-IKEV2|994> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov 30 09:07:48 09[IKE] <ALCATEL-IKEV2|994> EAP method EAP_MSCHAPV2 succeeded, MSK established
Nov 30 09:07:48 09[ENC] <ALCATEL-IKEV2|994> generating IKE_AUTH response 4 [ EAP/SUCC ]
Nov 30 09:07:48 09[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (80 bytes)
Nov 30 09:07:48 07[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (128 bytes)
Nov 30 09:07:48 07[ENC] <ALCATEL-IKEV2|994> parsed IKE_AUTH request 5 [ AUTH N(AUTH_FOLLOWS) ]
Nov 30 09:07:48 07[IKE] <ALCATEL-IKEV2|994> authentication of '192.168.178.53' with EAP successful
Nov 30 09:07:48 07[IKE] <ALCATEL-IKEV2|994> authentication of 'sipvpn.mydomain' (myself) with EAP
Nov 30 09:07:48 07[ENC] <ALCATEL-IKEV2|994> generating IKE_AUTH response 5 [ AUTH ]
Nov 30 09:07:48 07[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (112 bytes)
Nov 30 09:07:48 15[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (128 bytes)
Nov 30 09:07:48 15[ENC] <ALCATEL-IKEV2|994> parsed IKE_AUTH request 6 [ IDi AUTH ]
Nov 30 09:07:48 15[IKE] <ALCATEL-IKEV2|994> authentication of '192.168.178.53' with pre-shared key successful
Nov 30 09:07:48 15[IKE] <ALCATEL-IKEV2|994> IKE_SA ALCATEL-IKEV2[994] established between Y.Y.Y.132[sipvpn.mydomain]...X.X.X.47[192.168.178.53]
Nov 30 09:07:48 15[IKE] <ALCATEL-IKEV2|994> scheduling rekeying in 43150s
Nov 30 09:07:48 15[IKE] <ALCATEL-IKEV2|994> maximum IKE_SA lifetime 47470s
Nov 30 09:07:48 15[IKE] <ALCATEL-IKEV2|994> peer requested virtual IP %any
Nov 30 09:07:48 15[CFG] <ALCATEL-IKEV2|994> reassigning offline lease to '192.168.178.53'
Nov 30 09:07:48 15[IKE] <ALCATEL-IKEV2|994> assigning virtual IP 10.197.200.53 to peer '192.168.178.53'
Nov 30 09:07:48 15[CFG] <ALCATEL-IKEV2|994> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Nov 30 09:07:48 15[IKE] <ALCATEL-IKEV2|994> CHILD_SA ALCATEL-IPSEC{3439} established with SPIs c0e1d430_i c640aa90_o and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:07:48 15[ENC] <ALCATEL-IKEV2|994> generating IKE_AUTH response 6 [ CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Nov 30 09:07:48 15[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (240 bytes)
Nov 30 09:23:00 09[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (832 bytes)
Nov 30 09:23:00 09[ENC] <ALCATEL-IKEV2|994> parsed CREATE_CHILD_SA request 7 [ N(REKEY_SA) SA No KE TSi TSr ]
Nov 30 09:23:00 09[CFG] <ALCATEL-IKEV2|994> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
Nov 30 09:23:00 09[IKE] <ALCATEL-IKEV2|994> inbound CHILD_SA ALCATEL-IPSEC{3489} established with SPIs c7c1b532_i cd25b23c_o and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:23:00 09[ENC] <ALCATEL-IKEV2|994> generating CREATE_CHILD_SA response 7 [ SA No KE TSi TSr ]
Nov 30 09:23:00 09[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (736 bytes)
Nov 30 09:23:04 09[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (80 bytes)
Nov 30 09:23:04 09[ENC] <ALCATEL-IKEV2|994> parsed INFORMATIONAL request 8 [ D ]
Nov 30 09:23:04 09[IKE] <ALCATEL-IKEV2|994> received DELETE for ESP CHILD_SA with SPI c640aa90
Nov 30 09:23:04 09[IKE] <ALCATEL-IKEV2|994> closing CHILD_SA ALCATEL-IPSEC{3439} with SPIs c0e1d430_i (21506 bytes) c640aa90_o (25188 bytes) and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:23:04 09[IKE] <ALCATEL-IKEV2|994> sending DELETE for ESP CHILD_SA with SPI c0e1d430
Nov 30 09:23:04 09[IKE] <ALCATEL-IKEV2|994> CHILD_SA closed
Nov 30 09:23:04 09[IKE] <ALCATEL-IKEV2|994> outbound CHILD_SA ALCATEL-IPSEC{3489} established with SPIs c7c1b532_i cd25b23c_o and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:23:04 09[ENC] <ALCATEL-IKEV2|994> generating INFORMATIONAL response 8 [ D ]
Nov 30 09:23:04 09[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (80 bytes)
Nov 30 09:38:11 10[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (832 bytes)
Nov 30 09:38:11 10[ENC] <ALCATEL-IKEV2|994> parsed CREATE_CHILD_SA request 9 [ N(REKEY_SA) SA No KE TSi TSr ]
Nov 30 09:38:12 10[CFG] <ALCATEL-IKEV2|994> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
Nov 30 09:38:12 10[IKE] <ALCATEL-IKEV2|994> inbound CHILD_SA ALCATEL-IPSEC{3542} established with SPIs c490473a_i cea2e9c9_o and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:38:12 10[ENC] <ALCATEL-IKEV2|994> generating CREATE_CHILD_SA response 9 [ SA No KE TSi TSr ]
Nov 30 09:38:12 10[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (736 bytes)
Nov 30 09:38:16 13[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (80 bytes)
Nov 30 09:38:16 13[ENC] <ALCATEL-IKEV2|994> parsed INFORMATIONAL request 10 [ D ]
Nov 30 09:38:16 13[IKE] <ALCATEL-IKEV2|994> received DELETE for ESP CHILD_SA with SPI cd25b23c
Nov 30 09:38:16 13[IKE] <ALCATEL-IKEV2|994> closing CHILD_SA ALCATEL-IPSEC{3489} with SPIs c7c1b532_i (19980 bytes) cd25b23c_o (19980 bytes) and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:38:16 13[IKE] <ALCATEL-IKEV2|994> sending DELETE for ESP CHILD_SA with SPI c7c1b532
Nov 30 09:38:16 13[IKE] <ALCATEL-IKEV2|994> CHILD_SA closed
Nov 30 09:38:16 13[IKE] <ALCATEL-IKEV2|994> outbound CHILD_SA ALCATEL-IPSEC{3542} established with SPIs c490473a_i cea2e9c9_o and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:38:16 13[ENC] <ALCATEL-IKEV2|994> generating INFORMATIONAL response 10 [ D ]
Nov 30 09:38:16 13[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (80 bytes)
Nov 30 09:53:27 09[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (832 bytes)
Nov 30 09:53:27 09[ENC] <ALCATEL-IKEV2|994> parsed CREATE_CHILD_SA request 11 [ N(REKEY_SA) SA No KE TSi TSr ]
Nov 30 09:53:27 09[CFG] <ALCATEL-IKEV2|994> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
Nov 30 09:53:27 09[IKE] <ALCATEL-IKEV2|994> inbound CHILD_SA ALCATEL-IPSEC{3589} established with SPIs cb66feb5_i cc342780_o and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:53:27 09[ENC] <ALCATEL-IKEV2|994> generating CREATE_CHILD_SA response 11 [ SA No KE TSi TSr ]
Nov 30 09:53:27 09[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (736 bytes)
Nov 30 09:53:31 11[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (80 bytes)
Nov 30 09:53:31 11[ENC] <ALCATEL-IKEV2|994> parsed INFORMATIONAL request 12 [ D ]
Nov 30 09:53:31 11[IKE] <ALCATEL-IKEV2|994> received DELETE for ESP CHILD_SA with SPI cea2e9c9
Nov 30 09:53:31 11[IKE] <ALCATEL-IKEV2|994> closing CHILD_SA ALCATEL-IPSEC{3542} with SPIs c490473a_i (20069 bytes) cea2e9c9_o (20069 bytes) and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:53:31 11[IKE] <ALCATEL-IKEV2|994> sending DELETE for ESP CHILD_SA with SPI c490473a
Nov 30 09:53:31 11[IKE] <ALCATEL-IKEV2|994> CHILD_SA closed
Nov 30 09:53:31 11[IKE] <ALCATEL-IKEV2|994> outbound CHILD_SA ALCATEL-IPSEC{3589} established with SPIs cb66feb5_i cc342780_o and TS 0.0.0.0/0 === 10.197.200.53/32
Nov 30 09:53:31 11[ENC] <ALCATEL-IKEV2|994> generating INFORMATIONAL response 12 [ D ]
Nov 30 09:53:31 11[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (80 bytes)
Nov 30 10:05:21 06[NET] <ALCATEL-IKEV2|994> received packet: from X.X.X.47[4500] to Y.Y.Y.132[4500] (80 bytes)
Nov 30 10:05:21 06[ENC] <ALCATEL-IKEV2|994> parsed INFORMATIONAL request 13 [ D ]
Nov 30 10:05:21 06[IKE] <ALCATEL-IKEV2|994> received DELETE for IKE_SA ALCATEL-IKEV2[994]
Nov 30 10:05:21 06[IKE] <ALCATEL-IKEV2|994> deleting IKE_SA ALCATEL-IKEV2[994] between Y.Y.Y.132[sipvpn.mydomain]...X.X.X.47[192.168.178.53]
Nov 30 10:05:21 06[IKE] <ALCATEL-IKEV2|994> IKE_SA deleted
Nov 30 10:05:21 06[ENC] <ALCATEL-IKEV2|994> generating INFORMATIONAL response 13 [ ]
Nov 30 10:05:21 06[NET] <ALCATEL-IKEV2|994> sending packet: from Y.Y.Y.132[4500] to X.X.X.47[4500] (80 bytes)
Nov 30 10:05:21 06[CFG] <ALCATEL-IKEV2|994> lease 10.197.200.53 by '192.168.178.53' went offline
More information about the Users
mailing list