Configuration * StrongSwan version 5.3.0 on Centos 6.6 for both Initiator & Responder. * In /etc/strongswan/strongswan.d/charon.conf, set “make_before_break = yes” on both Initiator and Responder (responder also has cisco_unity = yes, but that should not be relevant). * In /etc/strongswan/strongswan.d/charon/resolv.conf, set “file = /etc/resolv.conf” on Initiator only. * Using the default up/down script, /usr/libexec/strongswan/_updown
Problem Initiator establishes an IKEv2 tunnel with the Responder which operates correctly until the first “reauthenticating IKE_SA” event occurs, i.e. IKE lifetime expires. Using the default value for ikelifetime so this occurs 2.5 - 3 hours after initial tunnel establishment. After re-authentication completes, the tunnel continues to work correctly except that DNS is now incorrectly configured on the Initiator, causing DNS name resolution failure. Details /etc/resolv.conf on the Initiator after the tunnel is established, 10.8.194.96 is the correct DNS nameserver. Note there’s a minor configuration bug on the Responder in that it sends the nameserver configuration twice, this does not seem to cause any operational problems. [myaccount@initiator ~]$ cat /etc/resolv.conf search domain.internal # by edm-start-ipsec on Thu Nov 12 11:35:41 EST 2015 nameserver 10.8.194.96 # by strongSwan, from responder.domain.com<http://responder.domain.com> nameserver 10.8.194.96 # by strongSwan, from responder.domain.com<http://responder.domain.com> ; generated by /sbin/dhclient-script nameserver 10.0.1.1 /var/log/messages on the Initiator during IKA_SA re-authentication (timezone is EST): Nov 11 20:02:51 initiator charon: 07[IKE] reauthenticating IKE_SA dm-psk[1] Nov 11 20:02:51 initiator charon: 07[IKE] installing new virtual IP 10.255.252.2 Nov 11 20:02:51 initiator charon: 07[IKE] initiating IKE_SA dm-psk[2] to re.sp.on.der Nov 11 20:02:51 initiator charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Nov 11 20:02:51 initiator charon: 07[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (1436 bytes) Nov 11 20:02:51 initiator charon: 04[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (456 bytes) Nov 11 20:02:51 initiator charon: 04[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] Nov 11 20:02:51 initiator charon: 04[IKE] local host is behind NAT, sending keep alives Nov 11 20:02:51 initiator charon: 04[IKE] remote host is behind NAT Nov 11 20:02:51 initiator charon: 04[IKE] authentication of 'my-user' (myself) with pre-shared key Nov 11 20:02:51 initiator charon: 04[IKE] establishing CHILD_SA dm-psk Nov 11 20:02:51 initiator charon: 04[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ] Nov 11 20:02:51 initiator charon: 04[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (428 bytes) Nov 11 20:02:51 initiator charon: 06[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (124 bytes) Nov 11 20:02:51 initiator charon: 06[ENC] parsed IKE_AUTH response 1 [ IDr AUTH ] Nov 11 20:02:51 initiator charon: 06[IKE] authentication of 'responder.domain.com<http://responder.domain.com>' with pre-shared key successful Nov 11 20:02:51 initiator charon: 06[ENC] generating IKE_AUTH request 2 [ IDi ] Nov 11 20:02:51 initiator charon: 06[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (76 bytes) Nov 11 20:02:51 initiator charon: 13[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (92 bytes) Nov 11 20:02:51 initiator charon: 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/GTC ] Nov 11 20:02:51 initiator charon: 13[IKE] server requested EAP_GTC authentication (id 0x79) Nov 11 20:02:51 initiator charon: 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/GTC ] Nov 11 20:02:51 initiator charon: 13[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes) Nov 11 20:02:51 initiator charon: 09[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (76 bytes) Nov 11 20:02:51 initiator charon: 09[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ] Nov 11 20:02:51 initiator charon: 09[IKE] EAP method EAP_GTC succeeded, no MSK established Nov 11 20:02:51 initiator charon: 09[IKE] authentication of 'my-user' (myself) with EAP Nov 11 20:02:51 initiator charon: 09[ENC] generating IKE_AUTH request 4 [ AUTH ] Nov 11 20:02:51 initiator charon: 09[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes) Nov 11 20:02:52 initiator charon: 15[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (300 bytes) Nov 11 20:02:52 initiator charon: 15[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN DNS U_DEFDOM DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Nov 11 20:02:52 initiator charon: 15[IKE] authentication of 'responder.domain.com<http://responder.domain.com>' with EAP successful Nov 11 20:02:52 initiator charon: 15[IKE] IKE_SA dm-psk[2] established between 10.0.1.36[my-user]...re.sp.on.der[responder.domain.com<http://responder.domain.com>] Nov 11 20:02:52 initiator charon: 15[IKE] scheduling reauthentication in 10092s Nov 11 20:02:52 initiator charon: 15[IKE] maximum IKE_SA lifetime 10632s Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_SPLIT_INCLUDE attribute failed Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_LOCAL_LAN attribute failed Nov 11 20:02:52 initiator charon: 15[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_DEF_DOMAIN attribute failed Nov 11 20:02:52 initiator charon: 15[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf Nov 11 20:02:52 initiator charon: 15[IKE] installing new virtual IP 10.255.252.2 Nov 11 20:02:52 initiator charon: 15[IKE] CHILD_SA dm-psk{5} established with SPIs ce54cd29_i 759cb598_o and TS 10.255.252.2/32 === 10.8.192.0/19 Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 300: iptables: command not found Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 303: iptables: command not found Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 312: iptables: command not found Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 315: iptables: command not found Nov 11 20:02:52 initiator vpn: + responder.domain.com<http://responder.domain.com> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32 Nov 11 20:02:52 initiator charon: 15[IKE] received AUTH_LIFETIME of 9930s, scheduling reauthentication in 9390s Nov 11 20:02:52 initiator charon: 15[IKE] peer supports MOBIKE Nov 11 20:02:52 initiator charon: 10[IKE] deleting IKE_SA dm-psk[1] between 10.0.1.36[my-user]...re.sp.on.der[responder.domain.com<http://responder.domain.com>] Nov 11 20:02:52 initiator charon: 10[IKE] sending DELETE for IKE_SA dm-psk[1] Nov 11 20:02:52 initiator charon: 10[ENC] generating INFORMATIONAL request 12 [ D ] Nov 11 20:02:52 initiator charon: 10[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (76 bytes) Nov 11 20:02:52 initiator charon: 14[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (76 bytes) Nov 11 20:02:52 initiator charon: 14[ENC] parsed INFORMATIONAL response 12 [ ] Nov 11 20:02:52 initiator charon: 14[IKE] IKE_SA deleted Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 348: iptables: command not found Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 352: iptables: command not found Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 362: iptables: command not found Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 366: iptables: command not found Nov 11 20:02:52 initiator vpn: - responder.domain.com<http://responder.domain.com> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32 Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf Nov 11 20:03:15 initiator charon: 11[IKE] sending keep alive to re.sp.on.der[4500] Nov 11 20:03:22 initiator charon: 04[IKE] sending DPD request /etc/resolv.conf on the Initiator after IKA_SA re-authentication competes. Charon removed the name server configuration at datestamp “Nov 11 20:02:52 in the Initiator log above. [myaccount@initiator ~]$ cat /etc/resolv.conf search domain.internal # by edm-start-ipsec on Wed Nov 11 17:24:56 EST 2015 ; generated by /sbin/dhclient-script nameserver 10.0.1.1 /var/log/messages on the Responder during IKE_SA re-authentication (timezone is UTC): Nov 12 01:02:53 responder charon: 08[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (1436 bytes) Nov 12 01:02:53 responder charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Nov 12 01:02:53 responder charon: 08[IKE] ini.ti.at.or is initiating an IKE_SA Nov 12 01:02:53 responder charon: 08[IKE] local host is behind NAT, sending keep alives Nov 12 01:02:53 responder charon: 08[IKE] remote host is behind NAT Nov 12 01:02:53 responder charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] Nov 12 01:02:53 responder charon: 08[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (456 bytes) Nov 12 01:02:53 responder charon: 15[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (428 bytes) Nov 12 01:02:53 responder charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ] Nov 12 01:02:53 responder charon: 15[CFG] looking for peer configs matching 10.8.193.69[responder.domain.com<http://responder.domain.com>]...ini.ti.at.or[my-user] Nov 12 01:02:53 responder charon: 15[CFG] selected peer config 'endpoints' Nov 12 01:02:53 responder charon: 15[IKE] authentication of 'my-user' with pre-shared key successful Nov 12 01:02:53 responder charon: 15[CFG] constraint requires public key authentication, but pre-shared key was used Nov 12 01:02:53 responder charon: 15[CFG] selected peer config 'endpoints' inacceptable: non-matching authentication done Nov 12 01:02:53 responder charon: 15[CFG] switching to peer config 'rw-ikev2-psk' Nov 12 01:02:53 responder charon: 15[IKE] peer supports MOBIKE Nov 12 01:02:53 responder charon: 15[IKE] authentication of 'responder.domain.com<http://responder.domain.com>' (myself) with pre-shared key Nov 12 01:02:53 responder charon: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH ] Nov 12 01:02:53 responder charon: 15[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (124 bytes) Nov 12 01:02:53 responder charon: 10[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (76 bytes) Nov 12 01:02:53 responder charon: 10[ENC] parsed IKE_AUTH request 2 [ IDi ] Nov 12 01:02:53 responder charon: 10[IKE] initiating EAP_GTC method (id 0x79) Nov 12 01:02:53 responder charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/GTC ] Nov 12 01:02:53 responder charon: 10[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (92 bytes) Nov 12 01:02:53 responder charon: 12[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (92 bytes) Nov 12 01:02:53 responder charon: 12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/GTC ] Nov 12 01:02:54 responder charon: 12[IKE] PAM authentication of 'my-user' successful Nov 12 01:02:54 responder charon: 12[IKE] EAP method EAP_GTC succeeded, no MSK established Nov 12 01:02:54 responder charon: 12[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ] Nov 12 01:02:54 responder charon: 12[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (76 bytes) Nov 12 01:02:54 responder charon: 13[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (92 bytes) Nov 12 01:02:54 responder charon: 13[ENC] parsed IKE_AUTH request 4 [ AUTH ] Nov 12 01:02:54 responder charon: 13[IKE] authentication of 'my-user' with EAP successful Nov 12 01:02:54 responder charon: 13[IKE] authentication of 'responder.domain.com<http://responder.domain.com>' (myself) with EAP Nov 12 01:02:54 responder charon: 13[IKE] IKE_SA rw-ikev2-psk[4] established between 10.8.193.69[responder.domain.com<http://responder.domain.com>]...ini.ti.at.or[my-user] Nov 12 01:02:54 responder charon: 13[IKE] scheduling reauthentication in 9930s Nov 12 01:02:54 responder charon: 13[IKE] maximum IKE_SA lifetime 10470s Nov 12 01:02:54 responder charon: 13[IKE] peer requested virtual IP 10.255.252.2 Nov 12 01:02:54 responder charon: 13[CFG] reassigning online lease to 'my-user' Nov 12 01:02:54 responder charon: 13[IKE] assigning virtual IP 10.255.252.2 to peer 'my-user' Nov 12 01:02:54 responder charon: 13[IKE] CHILD_SA rw-ikev2-psk{7} established with SPIs 759cb598_i ce54cd29_o and TS 10.8.192.0/19 === 10.255.252.2/32 Nov 12 01:02:54 responder vpn: + my-user 10.255.252.2/32 == ini.ti.at.or -- 10.8.193.69 == 10.8.192.0/19 Nov 12 01:02:54 responder charon: 13[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN DNS U_DEFDOM DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Nov 12 01:02:54 responder charon: 13[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (300 bytes) Nov 12 01:02:54 responder charon: 11[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (76 bytes) Nov 12 01:02:54 responder charon: 11[ENC] parsed INFORMATIONAL request 12 [ D ] Nov 12 01:02:54 responder charon: 11[IKE] received DELETE for IKE_SA rw-ikev2-psk[3] Nov 12 01:02:54 responder charon: 11[IKE] deleting IKE_SA rw-ikev2-psk[3] between 10.8.193.69[responder.domain.com<http://responder.domain.com>]...ini.ti.at.or[my-user] Nov 12 01:02:54 responder charon: 11[IKE] IKE_SA deleted Nov 12 01:02:54 responder vpn: - my-user 10.255.252.2/32 == ini.ti.at.or -- 10.8.193.69 == 10.8.192.0/19 Nov 12 01:02:54 responder charon: 11[ENC] generating INFORMATIONAL response 12 [ ] Nov 12 01:02:54 responder charon: 11[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (76 bytes) Questions 1. How to prevent Charon from removing the name server configuration from /etc/resolv.conf in the IKA_SA re-authentication case? 2. Why does the up/down script get invoked during IKE_SA re-authentication? When “make before break” is enabled, the up/down script invocation seems backward/awkward. That is, up/down is invoked with an ‘up’ notification at the initial establishment of the tunnel, then again with a second ‘up’ notification during the “make before break”, then finally with a ‘down’ notification even though the tunnel is up?!? VPN up/down notifications from Initiator’s /var/log/messages: Nov 11 17:24:54 initiator vpn: + responder.domain.com<http://responder.domain.com> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32 Nov 11 20:02:52 initiator vpn: + responder.domain.com<http://responder.domain.com> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32 Nov 11 20:02:52 initiator vpn: - responder.domain.com<http://responder.domain.com> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32 3. Aside: why does /usr/libexec/strongswan/_updown fail to find iptables?
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
