[strongSwan] IPsec XAuth reauth problems

Fri, 29 Apr 2016 20:07:05 -0700 

Hi

I just set up StrongSwan as XAuth Client for my MikroTik RouterOS Server.
If the client connects, the connection will work for 5 minutes. Then the connection to the remote networks drops. 

According to the log, there is a reauth:


Apr 30 03:20:24 lenovo charon: 11[NET] received packet: from 
185.117.xx.xx[4500] to 192.168.251.75[4500] (324 bytes)
Apr 30 03:20:24 lenovo charon: 11[ENC] parsed ID_PROT response 0 [ KE 
No NAT-D NAT-D ]
Apr 30 03:20:24 lenovo charon: 11[IKE] local host is behind NAT, 
sending keep alives
Apr 30 03:20:24 lenovo charon: 11[ENC] generating ID_PROT request 0 [ 
ID HASH ]
Apr 30 03:20:24 lenovo charon: 11[NET] sending packet: from 
192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
Apr 30 03:20:24 lenovo charon: 12[NET] received packet: from 
185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
Apr 30 03:20:24 lenovo charon: 12[ENC] parsed ID_PROT response 0 [ ID 
HASH ]
Apr 30 03:20:24 lenovo charon: 08[NET] received packet: from 
185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
Apr 30 03:20:24 lenovo charon: 08[ENC] parsed TRANSACTION request 
2192071535 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Apr 30 03:20:24 lenovo charon: 08[ENC] generating TRANSACTION response 
2192071535 [ HASH CPRP(X_USER X_PWD) ]
Apr 30 03:20:24 lenovo charon: 08[NET] sending packet: from 
192.168.251.75[4500] to 185.117.xx.xx[4500] (140 bytes)
Apr 30 03:20:24 lenovo charon: 04[NET] received packet: from 
185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
Apr 30 03:20:24 lenovo charon: 04[ENC] parsed TRANSACTION request 
3861230316 [ HASH CPS(X_STATUS) ]
Apr 30 03:20:24 lenovo charon: 04[IKE] XAuth authentication of 
'patrick' (myself) successful
Apr 30 03:20:24 lenovo charon: 04[IKE] IKE_SA ipsec-zrh1[3] 
established between 192.168.251.75[patrick]...185.117.xx.xx[185.117.xx.xx]

Apr 30 03:20:24 lenovo charon: 04[IKE] scheduling reauthentication in 163s
Apr 30 03:20:24 lenovo charon: 04[IKE] maximum IKE_SA lifetime 703s

Apr 30 03:20:24 lenovo charon: 04[ENC] generating TRANSACTION response 
3861230316 [ HASH CPA(X_STATUS) ]
Apr 30 03:20:24 lenovo charon: 04[NET] sending packet: from 
192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
Apr 30 03:20:24 lenovo charon: 04[ENC] generating TRANSACTION request 
3405112023 [ HASH CPRQ(ADDR DNS) ]
Apr 30 03:20:24 lenovo charon: 04[NET] sending packet: from 
192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
Apr 30 03:20:24 lenovo charon: 09[NET] received packet: from 
185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
Apr 30 03:20:24 lenovo charon: 09[ENC] parsed TRANSACTION response 
3405112023 [ HASH CPRP(ADDR) ]
Apr 30 03:20:24 lenovo charon: 09[IKE] installing new virtual IP 
10.255.4.251

Apr 30 03:20:25 lenovo charon: 07[IKE] sending DPD request

Apr 30 03:20:27 lenovo charon: 10[IKE] sending keep alive to 
185.117.xx.xx[4500]
Apr 30 03:20:34 lenovo charon: 11[NET] received packet: from 
185.117.xx.xx[4500] to 192.168.251.75[4500] (140 bytes)




Also the virtual IP has changed. The tunnel itself stays up, but 
according to setkey, the SA's / policy routes are not updated with the 
new Virtual IP. I think that's the reason why the connection is not 
working anymore (the connection does not come up again)



Client:


conn ipsec-zrh1
    fragmentation=yes
    mobike=no
    keyexchange=ikev1
    left=%defaultroute
    leftauth=psk
    leftauth2=xauth
    leftid=patrick
    leftsourceip=%config
    xauth_identity=patrick
    right=185.117.xx.x
    rightsubnet=10.64.136.0/22
    rightauth=psk
    auto=start
    ike=aes256-sha512-modp1024!
    esp=aes256-sha512-modp1024!
    ikelifetime=1200s
    lifetime=3600s
    dpdaction=clear
    dpddelay=10s
    dpdtimeout=60s
    aggressive=no


Version: 5.1.2 on xubuntu 14.04


Server:


/ip ipsec mode-config

add address-pool=vpn name=roadwarrior send-dns=no 
split-include=10.64.136.0/22

/ip ipsec policy group
add name=roadwarrior
/ip ipsec proposal

set [ find default=yes ] auth-algorithms=sha512 
enc-algorithms=aes-256-cbc lifetime=1h

/ip ipsec policy

add dst-address=10.64.136.0/22 group=roadwarrior 
src-address=10.255.4.0/24 template=yes
add dst-address=10.255.4.0/24 group=roadwarrior 
src-address=10.64.136.0/22 template=yes

/ip ipsec peer

add address=0.0.0.0/0 auth-method=pre-shared-key-xauth 
dpd-interval=10s enc-algorithm=aes-256 generate-policy=port-strict 
hash-algorithm=sha512 lifetime=20m local-address=185.117.xx.xx 
mode-config=roadwarrior passive=yes policy-template-group=roadwarrior 
secret=asecret

/ip ipsec user
add name=patrick password=anything
/ip pool
add name=vpn ranges=10.255.4.2-10.255.4.254



RouterOS 6.34.4 on CCR1009-8G-1S-1S+



Any Ideas what the reason is and how I can stop the IP address 
change/disconnection? :-)


Thanks and best regards
Patrick
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users






















					Reply via email to