[strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified

Karuna Sagar Krishna karunasagark at gmail.com
Thu Sep 3 22:55:11 CEST 2020 

H i,

I'm setting up a IPSec connection between a bunch of nodes, some running
Windows 2019 datacenter server and others running Ubuntu 16.04 LTS. I'm
using Windows built-in firewall to configure IPSec and Strongswan (Linux
strongSwan U5.3.5/K4.15.0-1091-azure) on the Ubuntu nodes. Given the nature
of the environment, I need to configure point-to-point IPSec connection
i.e. transport mode. And we need the IPSec to apply for all traffic between
the nodes i.e. all protocols and ports. The traffic can be initiated from
either Windows or Linux node.

We have noticed under certain circumstances, the connectivity stops working
between the Windows and Linux nodes. The issue is intermittent and possibly
coincides with ipsec reload command execution used when we make changes in
the ipsec.conf file. We haven't seen this between Linux nodes. From the
syslog, we see the TS_UNACCEPT error. One of the Windows expert in the team
captured netsh logs and he mentioned that the Linux node is sending a
traffic selector with UDP protocol port 1025 specifically, which is
probably leading to TS_UNACCEPT. This is unexpected, since we are expecting
all protocol and port to be under IPSec. However, don't understand why this
is intermittent.

Is there a property to specify the traffic selector explicitly in
ipsec.conf?

*Error from Windows logs:*

[1]1310.06C0::08/18/2020-17:33:57.306 [ikeext] 14|10.0.0.20|TS: 10.0.0.10.
*1025* - 10.0.0.10.1025 Protocol *17 *

*IPSec.conf file:*

config setup
  uniqueids=never

conn %default
  auto=route
  keyexchange=ikev2
  type=transport
  ike=aes256-sha2_256-modp2048!
  ikelifetime=30m
  esp=aes256-sha2_256!
  lifetime=30m
  rightca=%same
  left=10.0.0.18
  leftcert=ABC.crt
  rightcert=ABC.crt
  rightid="CN=EXAMPLE"


conn gw0-ipsec.net
  right=10.0.0.17
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200903/0de3a18d/attachment.html>

More information about the Users mailing list