Hi Paul, We ended up narrowing it down to a configuration where leftsubnets is used with more than one subnet - Libreswan and Strongswan doesn't like it
Therefore we changed out configuration from the previous one to a new connection per subnet However this also goes haywire with multiple new subnets being raised (Snapshot of ipsec status below) 000 #596: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 46819s; isakmp#0; idle; import:respond to stranger 000 #596: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #594: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 46759s; isakmp#0; idle; import:respond to stranger 000 #594: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #520: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 44229s; isakmp#0; idle; import:respond to stranger 000 #520: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #468: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 42526s; isakmp#0; idle; import:respond to stranger 000 #468: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #447: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 41541s; isakmp#0; idle; import:respond to stranger 000 #447: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #403: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 39657s; isakmp#0; idle; import:respond to stranger 000 #403: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #253: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 34760s; isakmp#0; idle; import:respond to stranger 000 #253: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #1622: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 26947s; isakmp#1621; idle; import:respond to stranger 000 #1622: "ssl-iptrafficsig-1-subnet-3" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=76B ESPin=0B! ESPmax=0B 000 #1621: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 84547s; isakmp#0; idle; import:respond to stranger 000 #1621: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #1559: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 24661s; isakmp#1558; idle; import:respond to stranger 000 #1559: "ssl-iptrafficsig-1-subnet-3" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=76B ESPin=0B! ESPmax=0B 000 #1558: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 82261s; isakmp#0; idle; import:respond to stranger 000 #1558: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: 000 #1547: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 24136s; isakmp#1546; idle; import:respond to stranger 000 #1547: "ssl-iptrafficsig-1-subnet-3" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=0B 000 #1546: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 81736s; isakmp#0; idle; import:respond to stranger 000 #1546: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic: conn ssl-iptrafficsig-1-subnet-1 authby= secret auto= start type= tunnel forceencaps= yes rekeymargin= 3m keyingtries= %forever salifetime= 8h ikelifetime= 24h ikev2= insist #RTT left= 10.59.31.49 leftsubnet= 10.1.0.0/16 leftid= [email protected] leftnexthop= 10.59.31.54 #SAA right= 52.48.93.253 rightid= [email protected] rightsubnet= 10.199.0.0/28 ike= aes256-sha2_512;modp2048 phase2= esp phase2alg= aes256-sha2_512;modp2048 pfs= yes sha2_truncbug= no #Dead Peer Detection dpdaction= restart conn ssl-iptrafficsig-1-subnet-2 authby= secret auto= start type= tunnel forceencaps= yes rekeymargin= 3m keyingtries= %forever salifetime= 8h ikelifetime= 24h ikev2= insist #RTT left= 10.59.31.49 leftsubnet= 10.2.0.0/16 leftid= [email protected] leftnexthop= 10.59.31.54 #SAA right= 52.48.93.253 rightid= [email protected] rightsubnet= 10.199.0.0/28 ike= aes256-sha2_512;modp2048 phase2= esp phase2alg= aes256-sha2_512;modp2048 pfs= yes sha2_truncbug= no #Dead Peer Detection dpdaction= restart conn ssl-iptrafficsig-1-subnet-3 authby= secret auto= start type= tunnel forceencaps= yes rekeymargin= 3m keyingtries= %forever salifetime= 8h ikelifetime= 24h ikev2= insist #RTT left= 10.59.31.49 leftsubnet= 172.21.12.0/22 leftid= [email protected] leftnexthop= 10.59.31.54 #SAA right= 52.48.93.253 rightid= [email protected] rightsubnet= 10.199.0.0/28 ike= aes256-sha2_512;modp2048 phase2= esp phase2alg= aes256-sha2_512;modp2048 pfs= yes sha2_truncbug= no #Dead Peer Detection dpdaction= restart It works fine with one subnet but as soon as the 2nd or 3rd subnet is added it goes haywire. Please see our log and the stongswan log below: [root@ip-10-199-0-6 strongswan]# strongswan up motts_nrts_gateway_2 initiating IKE_SA motts_nrts_gateway_2[51] to extip generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 10.199.0.6[500] to extip[500] (1404 bytes) received packet: from extip[500] to 10.199.0.6[500] (424 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) ] local host is behind NAT, sending keep alives remote host is behind NAT authentication of '[email protected]' (myself) with pre-shared key establishing CHILD_SA motts_nrts_gateway_2 generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ] sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes) retransmit 1 of request with message ID 1 sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes) retransmit 2 of request with message ID 1 sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes) retransmit 3 of request with message ID 1 sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes) sending keep alive to extip[4500] retransmit 4 of request with message ID 1 sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes) sending keep alive to extip[4500] sending keep alive to extip[4500] retransmit 5 of request with message ID 1 sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes) received packet: from extip[4500] to 10.199.0.6[4500] (424 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) ] received message ID 0, expected 1. Ignored sending keep alive to extip[4500] sending keep alive to extip[4500] sending keep alive to extip[4500] giving up after 5 retransmits peer not responding, trying again (2/0) initiating IKE_SA motts_nrts_gateway_2[51] to extip establishing connection 'motts_nrts_gateway_2' failed Our Log: May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1643: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048} May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1643: new NAT mapping for #1643, was 52.48.93.253:500, now 52.48.93.253:4500 May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1643: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3" May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1643: IKEv2 mode peer ID is ID_USER_FQDN: '[email protected]' May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1644: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0] May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1644: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xc3a8826b <0x39cd4f43 xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive} May 18 07:18:16 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #848: deleting state #848 (STATE_PARENT_R2) May 18 07:18:16 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #848: ESP traffic information: in=0B out=0B May 18 07:20:38 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1645: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048} May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1645: new NAT mapping for #1645, was 52.48.93.253:500, now 52.48.93.253:4500 May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1645: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3" May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1645: IKEv2 mode peer ID is ID_USER_FQDN: '[email protected]' May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1646: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0] May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1646: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xc052fa1d <0x11dab2bd xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive} May 18 07:20:53 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1647: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048} May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1647: new NAT mapping for #1647, was 52.48.93.253:500, now 52.48.93.253:4500 May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1647: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3" May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1647: IKEv2 mode peer ID is ID_USER_FQDN: '[email protected]' May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1648: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0] May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1648: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xcb39e636 <0x60fa2531 xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive} May 18 07:21:01 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #850: deleting state #850 (STATE_PARENT_R2) May 18 07:21:01 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #850: ESP traffic information: in=16KB out=0B May 18 07:22:21 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #853: deleting state #853 (STATE_PARENT_R2) May 18 07:22:21 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #853: ESP traffic information: in=76B out=0B May 18 07:23:23 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1649: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048} May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1649: new NAT mapping for #1649, was 52.48.93.253:500, now 52.48.93.253:4500 May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1649: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3" May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1649: IKEv2 mode peer ID is ID_USER_FQDN: '[email protected]' May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1650: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0] May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1650: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xc85e7d0a <0x331a381b xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive} May 18 07:23:38 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1651: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048} May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1651: new NAT mapping for #1651, was 52.48.93.253:500, now 52.48.93.253:4500 May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1651: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3" May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1651: IKEv2 mode peer ID is ID_USER_FQDN: '[email protected]' May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1652: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0] May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1652: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xccdc5980 <0xf90a6286 xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive} May 18 07:23:46 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #855: deleting state #855 (STATE_PARENT_R2) May 18 07:23:46 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #855: ESP traffic information: in=76B out=0B I Don't see any packets being dropped, but strongswan doesn't appear to like a response we send it I guess? Thanks for any help Joe -----Original Message----- From: Paul Wouters [mailto:[email protected]] Sent: 17 May 2017 15:18 To: Madden, Joe <[email protected]> Cc: [email protected] Subject: Re: [Swan] Tunnels coming establishing and dropping quickly On Wed, 17 May 2017, Madden, Joe wrote: > We have having an issue with our Libreswan tunnels, They come up for a short > amount of time before dropping off. > > > May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: > STATE_PARENT_I1: sent v2I1, expected v2R1 May 17 12:45:44 fw > pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: STATE_PARENT_I1: sent > v2I1, expected v2R1 May 17 12:45:44 fw pluto[12003]: > "ssl-nissen-1/13x0" #17: received Vendor ID payload [RFC 3947] May 17 > 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID > payload [FRAGMENTATION c0000000] May 17 12:45:44 fw pluto[12003]: > "ssl-nissen-1/13x0" #17: enabling possible NAT-traversal with method > RFC 3947 (NAT-Traversal) May 17 12:45:44 fw pluto[12003]: > "ssl-iptrafficsig-1/11x0" #6: STATE_PARENT_I1: sent v2I1, expected > v2R1 Looks like the other end does not like your proposal? > > conn ssl-iptrafficsig-1 > authby= secret > auto= start > type= tunnel > forceencaps= no > rekeymargin= 3m > keyingtries= %forever > salifetime= 8h > ikelifetime= 24h > ikev2= insist > initial-contact= yes > send_vendorid= yes > > #RTT > left= 10.59.31.49 Please remove empty lines, those denoate that a new conn section starts, and you might be missing part of your configuration. > leftnexthop= 10.59.31.54 > > #SAA Same here. > right= 54.247.187.81 > rightid= 54.247.187.81 > rightsubnet= 10.199.0.0/28 > ike= aes256-sha2_512;modp2048 > phase2= esp > phase2alg= aes256-sha2_512;modp2048 > pfs= yes > sha2_truncbug= no > > #Dead Peer Detection And here. > Stronswan configuration looks like this: > > > ######### Connection to Mott NRTS Gateway-PSK ##### conn > motts_nrts_gateway > type=tunnel > authby=secret > forceencaps=no > keyexchange=ikev2 > left=10.199.0.4 > leftsubnet=10.199.0.0/28 > leftid=54.247.187.81 > #leftfirewall=yes > rightfirewall=yes > ike=aes256-sha2_512-modp2048 > esp=aes256-sha2_512-modp2048 > right=extip > rightid=extip > > rightsubnet=10.1.176.0/25,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.170.0/25,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26,10.2.170.0/26 > aggressive=no > ikelifetime=24h > keyingtries=%forever > keylife=8h > dpdaction=hold > auto=start > ######## End of MOTT NRTS Gateway Connection ### > > > Does anyone have any suggestions to what could be the issue? What does the strongswan log say? Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
