[strongSwan-dev] FreeBSD 10.0 road warrior re-authentication problem

Mon, 16 Jun 2014 17:50:29 -0700 

Hey,
I've been experiencing a problem with re-authentication and tun devices Both ends of the VPN are running Strongswan 5.2.0dr6 on FreeBSD 10.0 with one end configured as a road warrior. 

static endpoint - ipsec.conf:
  config setup

  conn %default
    ikelifetime=480m
    keyexchange=ikev2
    keyingtries=1
    keylife=20m
    rekeymargin=3m

  conn vpn
    auto=add
    left=192.168.1.24
    leftauth=pubkey
    leftcert=vpn.example.com.pem
    leftid="CN=vpn.example.com"
    leftsubnet=192.168.1.0/24
    right=%any
    rightauth=pubkey
    rightid=%any
    rightsourceip=192.168.254.0/24
    type=tunnel

roadwarrior - ipsec.conf:
  config setup
    charondebug="lib 4"

  conn %default
    ikelifetime=10m
    keyexchange=ikev2
    keyingtries=1
    keylife=5m
    rekeymargin=3m

  conn vpn
    auto=add
    left=%any
    [email protected]
    leftsourceip=%config
    right=xx.xx.39.13
    rightid="CN=vpn.example.com"
    rightsubnet=192.168.1.0/24
    type=tunnel


The problem appears to be related specifically when reauthentication 
happens. The following is reported on the roadwarrior when that kicks in



16[KNL] unable to query SAD entry with SPI c1cf75d3: No such file or 
directory (2)

16[IKE] reauthenticating IKE_SA vpn[1]

16[IKE] deleting IKE_SA vpn[1] between xx.xx.147.104[[email protected], 
[email protected]]...xx.xx.39.13[CN=vpn.example.com]

16[IKE] sending DELETE for IKE_SA vpn[1]
16[ENC] generating INFORMATIONAL request 3 [ D ]

16[NET] sending packet: from xx.xx.147.104[4500] to xx.xx.39.13[4500] 
(76 bytes)
16[NET] received packet: from xx.xx.39.13[4500] to xx.xx.147.104[4500] 
(76 bytes)

16[ENC] parsed INFORMATIONAL response 3 [ ]
16[IKE] IKE_SA deleted
16[IKE] installing new virtual IP 192.168.254.1
16[LIB] created TUN device: tun1
15[KNL] interface tun1 appeared
16[IKE] restarting CHILD_SA vpn
15[KNL] interface tun1 activated
16[IKE] initiating IKE_SA vpn[2] to xx.xx.39.13
16[LIB] size of DH secret exponent: 2047 bits

16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) ]
16[NET] sending packet: from xx.xx.147.104[500] to xx.xx.39.13[500] 
(1132 bytes)
16[KNL] unable to delete SAD entry with SPI c1cf75d3: No such file or 
directory (2)

06[KNL] interface tun0 deactivated

07[NET] received packet: from xx.xx.39.13[500] to xx.xx.147.104[500] 
(465 bytes)
07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT

07[IKE] received cert request for "CN=example.com certificate authority, 
[email protected]"
07[IKE] sending cert request for "CN=example.com certificate authority, 
[email protected]"
07[IKE] authentication of '[email protected], [email protected]' (myself) 
with RSA signature successful

07[IKE] sending end entity cert "[email protected], [email protected]"
07[IKE] establishing CHILD_SA vpn{1}

07[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ 
IDr AUTH CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
07[NET] sending packet: from xx.xx.147.104[4500] to xx.xx.39.13[4500] 
(2668 bytes)
07[NET] received packet: from xx.xx.39.13[4500] to xx.xx.147.104[4500] 
(2348 bytes)
07[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) 
N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]

07[IKE] received end entity cert "CN=vpn.example.com"
07[CFG]   using certificate "CN=vpn.example.com"

07[CFG]   using trusted ca certificate "CN=example.com certificate 
authority, [email protected]"

07[CFG] checking certificate status of "CN=vpn.example.com"
07[CFG] certificate status is not available
07[CFG]   reached self-signed root ca with a path length of 0
07[IKE] authentication of 'CN=vpn.example.com' with RSA signature successful

07[IKE] IKE_SA vpn[2] established between 
xx.xx.147.104[[email protected], 
[email protected]]...xx.xx.39.13[CN=vpn.example.com]

07[IKE] scheduling reauthentication in 288s
07[IKE] maximum IKE_SA lifetime 468s
07[IKE] installing DNS server 192.168.1.13 via resolvconf
08[KNL] 192.168.254.1 disappeared from tun1
07[IKE] installing new virtual IP 192.168.254.1
08[KNL] interface tun1 deactivated
07[LIB] created TUN device: tun2
16[KNL] interface tun0 activated
16[KNL] fe80::f2de:f1ff:fead:512f appeared on tun0
05[KNL] 192.168.254.1 appeared on tun0
07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

07[IKE] CHILD_SA vpn{1} established with SPIs c0f19027_i cd32d518_o and 
TS 192.168.254.1/32 === 192.168.1.0/24
07[IKE] received AUTH_LIFETIME of 28464s, reauthentication already 
scheduled in 288s

07[IKE] peer supports MOBIKE
05[IKE] sending address list update using MOBIKE
05[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]

05[NET] sending packet: from xx.xx.147.104[4500] to xx.xx.39.13[4500] 
(76 bytes)
05[NET] received packet: from xx.xx.39.13[4500] to xx.xx.147.104[4500] 
(76 bytes)

05[ENC] parsed INFORMATIONAL response 2 [ ]
05[IKE] sending keep alive to xx.xx.39.13[4500]
05[IKE] sending keep alive to xx.xx.39.13[4500]

$ ifconfig tun0
ifconfig: interface tun0 does not exist
$ ifconfig tun2
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::f2de:f1ff:fead:512f%tun2 prefixlen 64 scopeid 0x5
        inet 192.168.254.1 --> 192.168.254.1 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 3865

I'm not sure of the importance of the 'unable to query/delete SAD entry'

messages, but everything works fine until this reauth happens then no 
traffic passes over the tunnel from the roadwarrior, but traffic from 
the static end of the VPN can still reach the roadwarrior.  If I set 
ikelifetime=480m it will work flawlessly that whole time, or if I set it 
to 10 minutes it'll work fine until the reauth.  As best as I can tell 
Strongswan attempts to kill off the original tun0 device and spin up the 
VIP on tun1, but then for some reason it kills that off too and 
activates tun2 but then reports the VIP  was found on tun0 which no 
longer exists.  I think it's getting confused on where that VIP is and 
where to route the traffic since the tunnel stays up and continues to 
reauthenticate and spin up new tun devices until I drop it. I've also 
noticed that just dropping the tunnel and bringing it up (ipsec down, 
ipsec up) doesn't work either.  Strongswan will attempt to use the next 
tun device but will report


15[IKE] installing new virtual IP 192.168.254.1
15[LIB] created TUN device: tun11
14[KNL] interface tun0 activated
10[KNL] fe80::f2de:f1ff:fead:512f appeared on tun0
10[KNL] 192.168.254.1 appeared on tun0


The only way to get it back to a working state is to restart Strongswan 
so it will start over at tun0.  Any ideas on what I can do to help track 
down where this problem is?


_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev






















					Reply via email to