On 20.03.2015 16:17, Martin Larsson wrote:
Hello!
I've been struggeling alot lately with isakmpd net to net to a
strongswan
(nat-t) client.
Isakmpd tells strongswan to delete the SA after a while.
I've gotten great help from one of the strongswan developers which came
up
with this.
isakmpd sends deletes for expired IKE_SAs over the latest active SA
with a
specific peer. In strongSwan there is currently no check that the SPIs
in
the DELETE payload with protocol ISAKMP actually matches those of the
current SA, it simply assumes a DELETE on the current SA is to delete
that
SA.
But according to RFC 2408 what isakmpd does is not really compliant:
"Deletion which is concerned with an ISAKMP SA will contain a
Protocol-Id
of ISAKMP and the SPIs are the initiator and responder cookies from the
ISAKMP Header.", so no other SPIs are allowed than those of the current
SA.
Any ideas?
Best regards
Martin
Hi,
I have the same problem (if I understand you correctly). After the
configured ike lifetime expires strongSwan delete the SA and no trafic
flow between two networks. Only `ipsec down $CONN_NAME; ipsec up
$CONN_NAME;' restore the connection. As a workaround I'm running a
script (on OpenWRT) which check the other side of the tunnel.
StrongSwan on OpenWRT BarrierBreaker 14.07:
root@go:~# uname -a
Linux go 3.10.49 #1 Sun Mar 8 16:52:48 EET 2015 mips GNU/Linux
root@go:~# ipsec version
Linux strongSwan U5.2.2/K3.10.49
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@go:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
keyingtries=%forever
dpdaction=none
auto=start
authby=pubkey
conn example.com
keyexchange=ikev1
# phase 1 parameters
ike=aes-sha-modp1024!
ikelifetime=3h
# peers
left=%defaultroute
leftsubnet=172.16.1.0/24
leftrsasigkey=/etc/ipsec.d/public/local.pub
leftid=@go.example.com
leftfirewall=yes
right=example.com
rightsubnet=192.168.1.0/27
rightrsasigkey=/etc/ipsec.d/public/ns.example.com
# phase 2
esp=aes-sha-modp1024!
lifetime=1h
root@go:~# cat /usr/sbin/monitor-ipsec.sh
#!/bin/ash
main()
{
local SLEEP_SECONDS=60
while [[ 0 == 0 ]]; do
monitor_vpn_ip_port example.com 192.168.1.1 22
sleep $SLEEP_SECONDS
done
}
monitor_vpn_ip_port()
{
local CONN_NAME=$1
local IP=$2
local PORT=$3
nc -w 10 -z $IP $PORT || ( \
echo "$IP $PORT did not respond, resetting connection
$CONN_NAME"; \
ipsec down $CONN_NAME; ipsec up $CONN_NAME; )
}
# now start running the script by calling main() with all parameters.
main $*
####################################################
OpenBSD site:
[ns]~$ sudo cat /etc/ipsec.conf.go
local_network="192.168.1.0/27"
remote_network="172.16.1.0/24"
go_ip="go.example.com"
# Between the networks
ike passive esp from $local_network to $remote_network peer $go_ip\
main auth hmac-sha enc aes group modp1024 lifetime 3h \
quick auth hmac-sha enc aes group modp1024 lifetime 1h \
srcid example.com dstid go.example.com
dmesg:
OpenBSD 5.7-current (GENERIC.MP) #903: Thu Apr 2 13:47:34 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6416760832 (6119MB)
avail mem = 6218432512 (5930MB)
mpath0 at root
....