Its been fixed now in strongswan 5.3. Was more curious if anyone though isakmpd made something wrong here :)
Best regards Martin On Fri, Apr 3, 2015 at 10:38 PM, Atanas Vladimirov <[email protected]> wrote: > On 20.03.2015 16:17, Martin Larsson wrote: > >> Hello! >> >> I've been struggeling alot lately with isakmpd net to net to a strongswan >> (nat-t) client. >> Isakmpd tells strongswan to delete the SA after a while. >> >> I've gotten great help from one of the strongswan developers which came up >> with this. >> >> isakmpd sends deletes for expired IKE_SAs over the latest active SA with a >> specific peer. In strongSwan there is currently no check that the SPIs in >> the DELETE payload with protocol ISAKMP actually matches those of the >> current SA, it simply assumes a DELETE on the current SA is to delete that >> SA. >> >> But according to RFC 2408 what isakmpd does is not really compliant: >> "Deletion which is concerned with an ISAKMP SA will contain a Protocol-Id >> of ISAKMP and the SPIs are the initiator and responder cookies from the >> ISAKMP Header.", so no other SPIs are allowed than those of the current >> SA. >> >> Any ideas? >> >> Best regards >> Martin >> > > Hi, > I have the same problem (if I understand you correctly). After the > configured ike lifetime expires strongSwan delete the SA and no trafic flow > between two networks. Only `ipsec down $CONN_NAME; ipsec up $CONN_NAME;' > restore the connection. As a workaround I'm running a script (on OpenWRT) > which check the other side of the tunnel. > > StrongSwan on OpenWRT BarrierBreaker 14.07: > root@go:~# uname -a > Linux go 3.10.49 #1 Sun Mar 8 16:52:48 EET 2015 mips GNU/Linux > root@go:~# ipsec version > Linux strongSwan U5.2.2/K3.10.49 > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil, Switzerland > See 'ipsec --copyright' for copyright information. > > root@go:~# cat /etc/ipsec.conf > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > > conn %default > keyingtries=%forever > dpdaction=none > auto=start > authby=pubkey > > conn example.com > keyexchange=ikev1 > # phase 1 parameters > ike=aes-sha-modp1024! > ikelifetime=3h > # peers > left=%defaultroute > leftsubnet=172.16.1.0/24 > leftrsasigkey=/etc/ipsec.d/public/local.pub > [email protected] > leftfirewall=yes > right=example.com > rightsubnet=192.168.1.0/27 > rightrsasigkey=/etc/ipsec.d/public/ns.example.com > # phase 2 > esp=aes-sha-modp1024! > lifetime=1h > > root@go:~# cat /usr/sbin/monitor-ipsec.sh > #!/bin/ash > > main() > { > local SLEEP_SECONDS=60 > while [[ 0 == 0 ]]; do > monitor_vpn_ip_port example.com 192.168.1.1 22 > sleep $SLEEP_SECONDS > done > } > > monitor_vpn_ip_port() > { > local CONN_NAME=$1 > local IP=$2 > local PORT=$3 > > nc -w 10 -z $IP $PORT || ( \ > echo "$IP $PORT did not respond, resetting connection $CONN_NAME"; > \ > ipsec down $CONN_NAME; ipsec up $CONN_NAME; ) > } > > # now start running the script by calling main() with all parameters. > main $* > > #################################################### > > OpenBSD site: > [ns]~$ sudo cat /etc/ipsec.conf.go > > local_network="192.168.1.0/27" > remote_network="172.16.1.0/24" > go_ip="go.example.com" > > # Between the networks > ike passive esp from $local_network to $remote_network peer $go_ip\ > main auth hmac-sha enc aes group modp1024 lifetime 3h \ > quick auth hmac-sha enc aes group modp1024 lifetime 1h \ > srcid example.com dstid go.example.com > > dmesg: > OpenBSD 5.7-current (GENERIC.MP) #903: Thu Apr 2 13:47:34 MDT 2015 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 6416760832 (6119MB) > avail mem = 6218432512 (5930MB) > mpath0 at root > ....
