Re: [strongSwan] Connection to AWS-VPC
It creates the needed vti interfaces and sets some iptables stuff. Here is
mine in it's entirety.
#!/bin/bash
while [[ $# > 1 ]]; do
case ${1} in
-ln|--link-name)
TUNNEL_NAME="${2}"
TUNNEL_PHY_INTERFACE="${PLUTO_INTERFACE}"
shift
;;
-ll|--link-local)
TUNNEL_LOCAL_ADDRESS="${2}"
TUNNEL_LOCAL_ENDPOINT="${PLUTO_ME}"
shift
;;
-lr|--link-remote)
TUNNEL_REMOTE_ADDRESS="${2}"
TUNNEL_REMOTE_ENDPOINT="${PLUTO_PEER}"
shift
;;
-m|--mark)
TUNNEL_MARK="${2}"
shift
;;
-r|--static-route)
TUNNEL_STATIC_ROUTE="${2}"
shift
;;
*)
echo "${0}: Unknown argument \"${1}\"" >&2
;;
esac
shift
done
command_exists() {
type "$1" >&2 2>&2
}
create_interface() {
ip link add ${TUNNEL_NAME} type vti local ${TUNNEL_LOCAL_ENDPOINT}
remote ${TUNNEL_REMOTE_ENDPOINT} key ${TUNNEL_MARK}
ip addr add ${TUNNEL_LOCAL_ADDRESS} remote ${TUNNEL_REMOTE_ADDRESS} dev
${TUNNEL_NAME}
ip link set ${TUNNEL_NAME} up mtu 1419
}
configure_sysctl() {
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.${TUNNEL_NAME}.rp_filter=2
sysctl -w net.ipv4.conf.${TUNNEL_NAME}.disable_policy=1
sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_xfrm=1
sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_policy=1
}
add_route() {
IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
for i in "${route[@]}"; do
ip route add ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}
done
iptables -t mangle -A FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d
${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}
ip route flush table 220
}
cleanup() {
IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
for i in "${route[@]}"; do
ip route del ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}
done
iptables -t mangle -D FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d
${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}
ip route flush cache
}
delete_interface() {
ip link set ${TUNNEL_NAME} down
ip link del ${TUNNEL_NAME}
}
# main execution starts here
command_exists ip || echo "ERROR: ip command is required to execute the script,
check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
command_exists iptables || echo "ERROR: iptables command is required to execute
the script, check if you are running as root, mostly to do with path, /sbin/"
>&2 2>&2
command_exists sysctl || echo "ERROR: sysctl command is required to execute the
script, check if you are running as root, mostly to do with path, /sbin/" >&2
2>&2
case "${PLUTO_VERB}" in
up-client)
create_interface
configure_sysctl
add_route
;;
down-client)
cleanup
delete_interface
;;
esac
Doug Tucker
Sr. Director of Networking & Linux Operations
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@navigaglobal.com
[cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/>
[cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal>
[cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal>
[cid:image004.png@01D4FEC7.F32F3010]
<https://www.linkedin.com/company/navigaglobal/about/>
Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are
Re: [strongSwan] Connection to AWS-VPC
ipsec.conf: # ipsec.conf - strongSwan IPsec configuration file # Site network admin: # basic configuration config setup # strictcrlpolicy=yes uniqueids = no # charondebug = "ike 2,chd 3, enc 2" # Add connections here. ## Common configuration conn Tunnel1 auto=start left=%defaultroute leftid=1.1.1.1 right=2.2.2.2 type=tunnel leftauth=psk rightauth=psk keyexchange=ikev1 ike=aes256-sha1-modp1024 ikelifetime=8h esp=aes256-sha1-modp1024 lifetime=1h keyingtries=%forever leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 dpddelay=10s dpdtimeout=30s dpdaction=restart mark=100 leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 100 -r 10.x.x.0/20" conn Tunnel2 auto=start left=%defaultroute leftid=1.1.1.1 right=2.2.2.2 type=tunnel leftauth=psk rightauth=psk keyexchange=ikev1 ike=aes128-sha1-modp1024 ikelifetime=8h esp=aes128-sha1-modp1024 lifetime=1h keyingtries=%forever leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 dpddelay=10s dpdtimeout=30s dpdaction=restart mark=200 leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 200 -r 10.x.x.0/20" Let me know if there is more you would like to see. Doug Tucker Sr. Director of Networking & Linux Operations o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@navigaglobal.com [cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/> [cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal> [cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal> [cid:image004.png@01D4FEC7.F32F3010] <https://www.linkedin.com/company/navigaglobal/about/> Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. From: Users on behalf of Dominik Reusser Sent: Tuesday, September 15, 2020 1:19 AM To: users@lists.strongswan.org Subject: [strongSwan] Connection to AWS-VPC NCS WARNING: External email. Please verify sender before opening attachments or clicking on links. Has anyone successfully connected to AWS VPC? My connection is established and ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP packets - while being sent towards the AWS server (from tcp dump on the client side) - do not appear in the logs of the VPC. With a corresponding setup with OpenSwan I get a working connection. However, I would prefer to use strong Swan. If you have successfully connected to AWS VPC, could you please share your configuration files? Thanks Kind regards Dominik
[strongSwan] issue connecting to fortigate
Strongswan 5.8.4. Odd issue connecting to a fortigate. The tunnel appears
to establish and the SA up. The fortigate shows phase1 and 2 complete but no
traffic is passing. The logs on the strongsan show something I'm not used to
seeing. It appears somehow that quickmode phase2 is responding on port 500
instead of 4500. But again, it appears to complete. Here the info from the
logs. Any ideas?
Jun 25 21:33:28 ip-100-105-8-167 charon: 07[ENC] generating QUICK_MODE response
2098315325 [ HASH SA No KE ID ID ]
Jun 25 21:33:28 ip-100-105-8-167 charon: 07[NET] sending packet: from
1.1.1.1[500] to 2.2.2.2[500] (380 bytes)
Jun 25 21:33:28 ip-100-105-8-167 charon: 08[NET] received packet: from
2.2.2.2[500] to 1.1.1.1[500] (60 bytes)
Jun 25 21:33:28 ip-100-105-8-167 charon: 08[ENC] parsed QUICK_MODE request
2098315325 [ HASH ]
Jun 25 21:33:28 ip-100-105-8-167 charon: 08[IKE] CHILD_SA sph-dr{71}
established with SPIs c2b7d129_i 0a24e7dd_o and TS 1.1.0.0/16 === 2.2.0.0/28
Jun 25 21:33:43 ip-100-105-8-167 charon: 06[IKE] sending DPD request
Jun 25 21:33:43 ip-100-105-8-167 charon: 06[ENC] generating INFORMATIONAL_V1
request 1996139877 [ HASH N(DPD) ]
Jun 25 21:33:43 ip-100-105-8-167 charon: 06[NET] sending packet: from
1.1.1.1[500] to 2.2.2.2[500] (92 bytes)
Jun 25 21:33:43 ip-100-105-8-167 charon: 16[NET] received packet: from
2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Jun 25 21:33:43 ip-100-105-8-167 charon: 16[ENC] parsed INFORMATIONAL_V1
request 3916210465 [ HASH N(DPD_ACK) ]
ipsec statusall:
sph-dr[56]: ESTABLISHED 4 seconds ago, 1.1.1.13.3.3.3]...2.2.2.2[2.2.2.2]
sph-dr[56]: IKEv1 SPIs: 92bf32eece46a7f9_i fb85b9ec02d6437f_r*,
pre-shared key reauthentication in 7 hours
sph-dr[56]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
sph-dr{71}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c2b7d129_i 0a24e7dd_o
sph-dr{71}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
rekeying in 7 hours
sph-dr{71}: 1.1.0.0/16 === 2.2.0.0/28
Doug Tucker
Sr. Director of Networking & Linux Operations
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@navigaglobal.com
[cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/>
[cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal>
[cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal>
[cid:image004.png@01D4FEC7.F32F3010]
<https://www.linkedin.com/company/navigaglobal/about/>
Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
[strongSwan] unstable tunnels
I have an issue that has suddenly begun happening on a tunnel that has been running for about 6 months. There are about 70 mappings on this device to the same peer. When they go through rekey, only about 16 of them survive. Here is a snippet in the logs of what I see when this is happening. Anyone have any ideas what might cause this? I'm confused by these "no matching child SA" messages. I thought that meant the other side doesn't have this mapping but they do. Feb 27 13:54:34 ip-2.2.2.2 charon: 06[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes) Feb 27 13:54:34 ip-2.2.2.2 charon: 06[ENC] parsed INFORMATIONAL_V1 request 645458918 [ HASH D ] Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI 396b2973 Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] CHILD_SA not found, ignored Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes) Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] parsed QUICK_MODE request 3880286434 [ HASH SA No ID ID ] Feb 27 13:54:34 ip-2.2.2.2 charon: 05[IKE] no matching CHILD_SA config found for 10.88.16.0/22 === 172.28.0.0/16 Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] generating INFORMATIONAL_V1 request 4022714658 [ HASH N(INVAL_ID) ] Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes) Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes) Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] parsed QUICK_MODE request 1802074258 [ HASH SA No ID ID ] Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] received HASH payload does not match Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] integrity check failed Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] generating INFORMATIONAL_V1 request 2322290261 [ HASH N(INVAL_HASH) ] Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes) Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] QUICK_MODE request with message ID 1802074258 processing failed Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes) Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] parsed QUICK_MODE request 2672322312 [ HASH SA No ID ID ] Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] received HASH payload does not match Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] integrity check failed Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] generating INFORMATIONAL_V1 request 1930495837 [ HASH N(INVAL_HASH) ] Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes) Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] QUICK_MODE request with message ID 2672322312 processing failed Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes) Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] parsed QUICK_MODE request 44052 [ HASH SA No ID ID ] Feb 27 13:54:39 ip-2.2.2.2 charon: 10[IKE] no matching CHILD_SA config found for 10.65.32.0/20 === 172.28.0.0/16 Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] generating INFORMATIONAL_V1 request 1713249855 [ HASH N(INVAL_ID) ] Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes) Feb 27 13:54:40 ip-2.2.2.2 charon: 09[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes) Feb 27 13:54:40 ip-2.2.2.2 charon: 09[ENC] parsed INFORMATIONAL_V1 request 1348181082 [ HASH D ] Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 55e242ba Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] CHILD_SA not found, ignored Doug Tucker Sr. Director of Networking & Linux Operations o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@navigaglobal.com [cid:9b32ac9a-70da-4551-bc68-ebd42d85e6d4]<https://navigaglobal.com/> [cid:567b206d-0003-40c4-b48c-57d4fd43b13f]<https://www.facebook.com/navigaglobal> [cid:1278c334-c0e6-4ff5-a3a0-969694051463] <https://twitter.com/navigaglobal> [cid:5996635e-09bc-4456-a156-ef19bb04b2d5] <https://www.linkedin.com/company/navigaglobal/about/> Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
[strongSwan] left subnet stanza
All, Looking for some help on the leftsubnet = stanza. Is there a way to put mulitiple subnets on the same line? I need to give access to 3 subnets on my side from 1 subnet on theirs. I have tried: leftsubnet = 10.10.10.0/24 10.10.11.0/24 (and tried putting a comma in between them but it doesn't like that) using leftsubnet = 0.0.0.0/0 works, but that apparently opens it to any subnet on my side they have a mapping to on theirs...so I lose control. Is there any way to have multiple subnets on my side on one line? Doug Tucker Sr. Director of Networking & Linux Operations o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@navigaglobal.com [cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/> [cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal> [cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal> [cid:image004.png@01D4FEC7.F32F3010] <https://www.linkedin.com/company/navigaglobal/about/> Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
[strongSwan] leftsubnet stanza
All, Looking for some help on the leftsubnet = stanza. Is there a way to put mulitiple subnets on the same line? I need to give access to 3 subnets on my side from 1 subnet on theirs. I have tried: leftsubnet = 10.10.10.0/24 10.10.11.0/24 (and tried putting a comma in between them but it doesn't like that) using leftsubnet = 0.0.0.0/0 works, but that apparently opens it to any subnet on my side they have a mapping to on theirs...so I lose control. Is there any way to have multiple subnets on my side on one line? Doug Tucker Sr. Director of Networking & Linux Operations o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@navigaglobal.com [cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/> [cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal> [cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal> [cid:image004.png@01D4FEC7.F32F3010] <https://www.linkedin.com/company/navigaglobal/about/> Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Re: [strongSwan] tunnel up, traffic stops flowing
More info. I can duplicate this issue on every instance I have that I yum update to all the latest packages on centos 7.x. They all exhibit this same behaviour. I am running strongswan 5.7.1 and centos: [root@ip-100-97-48-212 ~]# cat /etc/*-release CentOS Linux release 7.6.1810 (Core) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/; BUG_REPORT_URL="https://bugs.centos.org/; CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" CentOS Linux release 7.6.1810 (Core) CentOS Linux release 7.6.1810 (Core) Hosts on centos 7.4.x do not exhibit this issue. Doug Tucker Sr. Network Administrator o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@newscycle.com [Newscycle Solutions]<http://www.newscycle.com/> Breakthrough technologies for media Twitter<http://www.twitter.com/newscycle_news> | Facebook<https://www.facebook.com/NEWSCYCLESolutions> | Linkedin<https://www.linkedin.com/company/newscycle-solutions> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. From: Users on behalf of Doug Tucker Sent: Wednesday, March 6, 2019 10:39:24 AM To: users@lists.strongswan.org Subject: [strongSwan] tunnel up, traffic stops flowing NCS WARNING: External email. Please verify sender before opening attachments or clicking on links. I have an issue with a tunnel where the tunnel is up, but after some time incoming traffic stops flowing. All traffic is initiated from the remote end. In order to get traffic flowing again I have to initiate some traffic to the other side. Any ideas why this might be happening and how to correct? Doug Tucker Sr. Network Administrator o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@newscycle.com [Newscycle Solutions]<http://www.newscycle.com/> Breakthrough technologies for media Twitter<http://www.twitter.com/newscycle_news> | Facebook<https://www.facebook.com/NEWSCYCLESolutions> | Linkedin<https://www.linkedin.com/company/newscycle-solutions> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
[strongSwan] tunnel up, traffic stops flowing
I have an issue with a tunnel where the tunnel is up, but after some time incoming traffic stops flowing. All traffic is initiated from the remote end. In order to get traffic flowing again I have to initiate some traffic to the other side. Any ideas why this might be happening and how to correct? Doug Tucker Sr. Network Administrator o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@newscycle.com [Newscycle Solutions]<http://www.newscycle.com/> Breakthrough technologies for media Twitter<http://www.twitter.com/newscycle_news> | Facebook<https://www.facebook.com/NEWSCYCLESolutions> | Linkedin<https://www.linkedin.com/company/newscycle-solutions> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
[strongSwan] remote peer IP falls into crypto domain right subnet
I've done some searching and am not finding any info on this. We had a client who wanted to offer a /16 as his right subnet and his outside peer IP of his ASA fell into the /16 they were offering. With a cisco ASA this is a non issue as in this type of scenario cisco exempts out that single IP from the routing table but with strongswan 5.6.3 it appears to not do so by default and caused some odd routing anomalies to this IP. Does anyone know of a configuration directive for dealing with this? Doug Tucker Sr. Network Administrator o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@newscycle.com [Newscycle Solutions]<http://www.newscycle.com/> Breakthrough technologies for media Twitter<http://www.twitter.com/newscycle_news> | Facebook<https://www.facebook.com/NEWSCYCLESolutions> | Linkedin<https://www.linkedin.com/company/newscycle-solutions> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
I did indeed change the value from no to yes with delete_rekeyed in
charon.conf. I also tried setting it in the strongswan.conf itself, neither
has any effect on the the spawned rekeys.
I got the config and the debug logs from the customer (he is using a cisco
router). I don't see anything in his config that stands out that would cause
this, and while we see the event in his logs just like with ours, there is no
indication as to why it is happening. He has dozens of other tunnels to other
locations on this device and they don't appear to occur with them.
Thank you for all of the feedback.
Doug Tucker
Sr. Network Administrator
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@newscycle.com
[Newscycle Solutions]<http://www.newscycle.com/>
Breakthrough technologies for media
Twitter<http://www.twitter.com/newscycle_news> |
Facebook<https://www.facebook.com/NEWSCYCLESolutions> |
Linkedin<https://www.linkedin.com/company/newscycle-solutions>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
From: Noel Kuntze
Sent: Tuesday, July 24, 2018 9:38:55 AM
To: Doug Tucker; users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
You really need to get logs from the other side.
Evidently, as shown by the logs you provided, _the other side_ is requesting
those tunnels.
And it is likely that you did not set the value correctly.
In (/etc/strongswan.d/)charon.conf, the value should be set. Check if that is
the case.
On 24.07.2018 17:25, Doug Tucker wrote:
> Setting that value had a negative effect. Not only is it not deleting the
> old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now
> it creates 2 installed tunnels:
>
>
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i
> 968001a4_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{8}: x.x.x.x/16 === x.x.x.x/28
> sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i
> 7d27b8fb_o
> sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{9}: x.x.x.x/16 === x.x.x.x/28
>
>
>
> *Doug Tucker*
>
> Sr. Network Administrator
>
> *o: *817.975.5832* | *m: 817.975.5832
>
> *e:* doug.tuc...@newscycle.com
>
> * *
>
> Newscycle Solutions <http://www.newscycle.com/>
>
> *Breakthrough technologies for media*
>
> * *
>
> *Twitter <http://www.twitter.com/newscycle_news>** | Facebook
> <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin
> <https://www.linkedin.com/company/newscycle-solutions>***
>
> * *
>
> CONFIDENTIALITY NOTICE: The contents of this email message and any
> attachments are intended solely for the addressee(s) and may contain
> confidential and/or privileged information and may be legally protected from
> disclosure. If you are not the intended recipient of this message or their
> agent, or if this message has been addressed to you in error, please
> immediately alert the sender by reply email and then delete this message and
> any attachments. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, copying, or storage of this message or
> its attachments is strictly prohibited.
>
>
> -----
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Setting that value had a negative effect. Not only is it not deleting the old
rekeys (they continue to accumulate at 1 every 30 seconds or so), but now it
creates 2 installed tunnels:
sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i
968001a4_o
sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
rekeying in 7 hours
sph-main{8}: x.x.x.x/16 === x.x.x.x/28
sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i
7d27b8fb_o
sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
rekeying in 7 hours
sph-main{9}: x.x.x.x/16 === x.x.x.x/28
Doug Tucker
Sr. Network Administrator
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@newscycle.com
[Newscycle Solutions]<http://www.newscycle.com/>
Breakthrough technologies for media
Twitter<http://www.twitter.com/newscycle_news> |
Facebook<https://www.facebook.com/NEWSCYCLESolutions> |
Linkedin<https://www.linkedin.com/company/newscycle-solutions>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
From: Noel Kuntze
Sent: Tuesday, July 24, 2018 4:02:13 AM
To: Doug Tucker; users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Hi,
You can use charon.delete_rekeyed = yes. But the better solution is to check
the logs of the CISCO side to understand why it is doing that.
Kind regards
Noel
On 24.07.2018 05:29, Doug Tucker wrote:
>
> Have an issue I've never seen before. Connecting to a remote Cisco router.
> Have verified settings on the cisco, our rekey options look the same. We get
> an established connection, then 30 seconds later a rekey happens and it
> installs under the new one. This goes on forever. Here are the logs
> showing the original and 1 rekey. If allowed to continue the number of SA
> increments as such:
>
>
> Connections:
> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
> sph-main: local: [x.x.x.x] uses pre-shared key authentication
> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
> Routed Connections:
> sph-main{1}: ROUTED, TUNNEL, reqid 1
> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
> Security Associations (1 up, 0 connecting):
> sph-main[1]: ESTABLISHED 3 minutes ago,
> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
> pre-shared key reauthentication in 7 hours
> sph-main[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{2}: x.x.0.0/16 === x.x.x.x/28
> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{3}: x.x.0.0/16 === x.x.x.x/28
> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{4}: x.x.0.0/16 === x.x.x.x/28
> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{5}: x.x.0.0/16 === x.x.x.x/28
> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{6}: x.x.0.0/16 === x.x.x.x/28
> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{7}: x.x.0.0/16 === x.x.x.x/28
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
> d0a8e566_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{8}: x.x.0.0/16 === x.x.x.x/28
>
> Here are my logs:
>
>
> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
> /user.slice/user-x0.slice
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500]
> to x.x.x.x[500] (34x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V
> V V NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
I have auto = ignore, closeaction = clear, and have not defined anything for
uniqueids.
Doug Tucker
Sr. Network Administrator
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@newscycle.com
[Newscycle Solutions]<http://www.newscycle.com/>
Breakthrough technologies for media
Twitter<http://www.twitter.com/newscycle_news> |
Facebook<https://www.facebook.com/NEWSCYCLESolutions> |
Linkedin<https://www.linkedin.com/company/newscycle-solutions>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
From: Jafar Al-Gharaibeh
Sent: Tuesday, July 24, 2018 9:03:07 AM
To: Doug Tucker; users@lists.strongswan.org
Cc: Noel Kuntze
Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Doug,
Check your configuration, if you have:
uniqueids=yes
auto=start
closeaction=restart
Then that is the cause of the issue. That is a bad combination that gets
you in an infinite rekey loop.
--Jafar
On 7/24/2018 5:02 AM, Noel Kuntze wrote:
> Hi,
>
> You can use charon.delete_rekeyed = yes. But the better solution is to check
> the logs of the CISCO side to understand why it is doing that.
>
> Kind regards
>
> Noel
>
> On 24.07.2018 05:29, Doug Tucker wrote:
>> Have an issue I've never seen before. Connecting to a remote Cisco router.
>> Have verified settings on the cisco, our rekey options look the same. We
>> get an established connection, then 30 seconds later a rekey happens and it
>> installs under the new one. This goes on forever. Here are the logs
>> showing the original and 1 rekey. If allowed to continue the number of SA
>> increments as such:
>>
>>
>> Connections:
>> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
>> sph-main: local: [x.x.x.x] uses pre-shared key authentication
>> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
>> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
>> Routed Connections:
>> sph-main{1}: ROUTED, TUNNEL, reqid 1
>> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
>> Security Associations (1 up, 0 connecting):
>> sph-main[1]: ESTABLISHED 3 minutes ago,
>> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
>> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
>> pre-shared key reauthentication in 7 hours
>> sph-main[1]: IKE proposal:
>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{2}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{3}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{4}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{5}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{6}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{7}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
>> d0a8e566_o
>> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
>> rekeying in 7 hours
>> sph-main{8}: x.x.0.0/16 === x.x.x.x/28
>>
>> Here are my logs:
>>
>>
>> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
>> /user.slice/user-x0.slice
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from
>> x.x.x.x[500] to x.x.x.x[500] (34x bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No
>> V V V NAT-D NAT-D ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
>> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
[strongSwan] Strongswan 5.6.3 rekey every 30 seconds
x-x charon: 07[ENC] parsed INFORMATIONAL_V1 request
1316377373 [ HASH N(DPD_ACK) ]
Jul 24 03:1x:01 ip-x-x-x-x charon: 09[IKE] sending DPD request
Jul 24 03:1x:01 ip-x-x-x-x charon: 09[ENC] generating INFORMATIONAL_V1 request
2941x32606 [ HASH N(DPD) ]
Jul 24 03:1x:01 ip-x-x-x-x charon: 09[NET] sending packet: from x.x.x.x[4500]
to x.x.x.x[4500] (92 bytes)
Jul 24 03:1x:01 ip-x-x-x-x charon: 10[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (92 bytes)
Jul 24 03:1x:01 ip-x-x-x-x charon: 10[ENC] parsed INFORMATIONAL_V1 request
465745044 [ HASH N(DPD_ACK) ]
Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (3x0 bytes)
Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] parsed QUICK_MODE request 1506132661
[ HASH SA No KE ID ID ]
Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] received 460x00 lifebytes,
configured 0
Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] detected rekeying of CHILD_SA
sph-main{2}
Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] generating QUICK_MODE response
1506132661 [ HASH SA No KE ID ID ]
Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[4500]
to x.x.x.x[4500] (396 bytes)
Jul 24 03:1x:02 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (60 bytes)
Jul 24 03:1x:02 ip-x-x-x-x charon: 12[ENC] parsed QUICK_MODE request 1506132661
[ HASH ]
Jul 24 03:1x:02 ip-x-x-x-x charon: 12[IKE] CHILD_SA sph-main{3} established
with SPIs c3cf290a_i 1cab665a_o and TS x.x.0.0/16 === x.x.x.x/2x
Thank you in advance for any insight into resolving this.
Sincerely,
Doug Tucker
