On Mon, Feb 22, 2021 at 09:06:58AM +0100, Riccardo Giuntoli wrote:
> I there I've got a lot of problems putting a IKE2 point to point connection
> stable between OpenBSD/OpenIKED and VyOS/Strongswan.
>
> Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE
> transport. Gre tunnel is builded above and keepalive work in all the two
> sides, because I've changed the beaviour of the tun interface in linux.
>
> This is the error that I've got also in the OpenBSD side:
>
> Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
>
I don't see any obvious misconfiguration so this might be a bug,
but without the log i won't be able to help.
- Tobias
>
> Here you are the Strongswan configuration:
>
> conn XXXX
> keyexchange=ikev2
> type=transport
> auto=start
> reauth=no
> ikelifetime=1h
> dpdaction=restart
> dpddelay=15
> dpdtimeout=1
> closeaction=restart
>
> left=%defaultroute
> leftsourceip=%config4
> leftauth=pubkey
> leftid=%indra@XXXX
> leftprotoport=gre
> leftupdown=/config/ipsec/ESJP-updown.sh
>
> right=XXXX
> rightsubnet=XXXX
> rightauth=pubkey
> rightid=%jXXXX
> rightcert=/etc/ipsec.d/certs/XXXX.crt
> rightprotoport=gre
>
> #!/bin/bash
>
> set -o nounset
> set -o errexit
>
> TUN_IFACE="tun2"
>
> case "${PLUTO_VERB}" in
> up-host)
> echo "Putting interface ${TUN_IFACE} up"
> ifconfig $TUN_IFACE up
> echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}"
> sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1"
> echo "Accepting gre keepalive"
> sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1"
> ;;
> down-host)
> ifconfig $TUN_IFACE down
> ;;
> esac
>
> IKE is checked with DPD
> SA is checked with te script
>
> above also a cron script acting in this way:
>
> #!/bin/bash
> ROUTER_IP=XXXX
> IPSEC="XXXX"
> GRE="tun2"
>
> PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1)
> ALIVE="alive"
> STATUS=$(ipsec status $IPSEC)
> ESTABLISED="INSTALLED"
>
> if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then
> if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then
> ipsec stroke down-nb $IPSEC
> ipsec up $IPSEC
> else
> ipsec up $IPSEC
> fi
> fi
>
> In the OpenBSD side:
>
> set dpd_check_interval 15
> ikev2 "XXXX" passive transport \
> proto gre \
> from XXXX to XXXX\
> local jXXXXpeer any \
> ikesa uth hmac-sha2-256 enc aes-256 group ecp256 \
> childsa auth hmac-sha2-256 enc aes-256 group ecp256 \
> srcid "shiva@XXXX" \
> ikelifetime 86400 lifetime 3600
>
> root@shiva:/etc# cat hostname.gre1
>
>
>
> description "XXXX"
> keepalive 5 2
> mtu 1392
> !ifconfig gre1 XXXX4 XXXX netmask 0xfffffffc up
> !ifconfig gre1 tunnel XXXX XXXX
> root@shiva:/etc#
>
> And some ifstated to check keepalive status.
>
> Any suggestions?
>
> --
> Name: Riccardo Giuntoli
> Email: [email protected]
> Location: sant Pere de Ribes, BCN, Spain
> PGP Key: 0x67123739
> PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
> Key server: hkp://wwwkeys.eu.pgp.net
