I have the following setup:
[my-app] ==TLS==> [stunnel --TCP--> strongSwan] ++IPSEC++> [thirdparty-app]
Where stuff happening [within brackets] happens in the same machine.
Every once in a while, I the following log lines below. After that, according
to [my-app] logs, data was sent to stunnel normally. No signs of network error.
However, my-app did not received responses from [thirdparty-app]. This behavior
lasted for ~20min until stunnel times out and new connection is established,
making things get back to normality.
Questions:
1. Why is this happening?
2. Should reauthentication be seamless for stunnel and thirdparty-app? If
answer is NO, how should stunnel behave then?
Nov 10 11:49:43 HOST1 charon: 02[IKE] reauthenticating IKE_SA VPN1[1]
Nov 10 11:49:43 HOST1 charon: 02[IKE] deleting IKE_SA VPN1[1] between
xxx.xxx.xxx.xxx[yyy.yyy.yyy.yyy]...zzz.zzz.zzz.zzz[aaa.aaa.aaa.aaa]
Nov 10 11:49:43 HOST1 charon: 02[IKE] sending DELETE for IKE_SA VPN1[1]
Nov 10 11:49:43 HOST1 kernel: [3745465.531945] audit: type=1400
audit(1478778583.565:4059): apparmor="DENIED" operation="open"
profile="/usr/lib/ipsec/charon" name="/proc/13577/fd/" pid=13577 comm="charon"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 10 11:49:43 HOST1 charon: 01[IKE] IKE_SA deleted
Nov 10 11:49:43 HOST1 vpn: - aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb/32 ==
zzz.zzz.zzz.zzz -- xxx.xxx.xxx.xxx == ccc.ccc.ccc.ccc/28
Nov 10 11:49:43 HOST1 charon: 01[IKE] restarting CHILD_SA VPN1
Nov 10 11:49:43 HOST1 charon: 01[IKE] initiating IKE_SA VPN1[2] to
zzz.zzz.zzz.zzz
Nov 10 11:49:43 HOST1 charon: 10[IKE] received Cisco Delete Reason vendor ID
Nov 10 11:49:43 HOST1 charon: 10[IKE] received Cisco Copyright (c) 2009 vendor
ID
Nov 10 11:49:43 HOST1 charon: 10[IKE] received FRAGMENTATION vendor ID
Nov 10 11:49:43 HOST1 charon: 10[IKE] local host is behind NAT, sending keep
alives
Nov 10 11:49:43 HOST1 charon: 10[IKE] remote host is behind NAT
Nov 10 11:49:43 HOST1 charon: 10[IKE] authentication of 'yyy.yyy.yyy.yyy'
(myself) with pre-shared key
Nov 10 11:49:43 HOST1 charon: 10[IKE] establishing CHILD_SA VPN1{1}
Nov 10 11:49:44 HOST1 charon: 13[IKE] authentication of 'aaa.aaa.aaa.aaa' with
pre-shared key successful
Nov 10 11:49:44 HOST1 charon: 13[IKE] IKE_SA VPN1[2] established between
xxx.xxx.xxx.xxx[yyy.yyy.yyy.yyy]...zzz.zzz.zzz.zzz[aaa.aaa.aaa.aaa]
Nov 10 11:49:44 HOST1 charon: 13[IKE] scheduling reauthentication in 86150s
Nov 10 11:49:44 HOST1 charon: 13[IKE] maximum IKE_SA lifetime 86330s
Nov 10 11:49:44 HOST1 charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED,
not using ESPv3 TFC padding
Nov 10 11:49:44 HOST1 charon: 13[IKE] CHILD_SA VPN1{28} established with SPIs
c5ff4cea_i 9f0d0d53_o and TS ccc.ccc.ccc.ccc/28 === bbb.bbb.bbb.bbb/32
Nov 10 11:49:44 HOST1 kernel: [3745466.048974] audit: type=1400
audit(1478778584.081:4060): apparmor="DENIED" operation="open"
profile="/usr/lib/ipsec/charon" name="/proc/13586/fd/" pid=13586 comm="charon"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 10 11:49:44 HOST1 vpn: + aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb/32 ==
zzz.zzz.zzz.zzz -- xxx.xxx.xxx.xxx == ccc.ccc.ccc.ccc/28
...
Nov 10 12:05:50 HOST1 stunnel: LOG3[3]: writesocket: Connection timed out (110)
Nov 10 12:05:50 HOST1 stunnel: LOG5[3]: Connection reset: 2186222 byte(s) sent
to SSL, 721569 byte(s) sent to socket
Nov 10 12:05:50 HOST1 stunnel: LOG5[12]: Service [VPN1] accepted connection
from ddd.ddd.ddd.ddd:50204
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: SSL accepted: new session negotiated
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: No peer certificate received
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: Negotiated TLSv1 ciphersuite
ECDHE-RSA-AES256-SHA (256-bit encryption)
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: s_connect: connecting
bbb.bbb.bbb.bbb:10062
Nov 10 12:05:50 HOST1 stunnel: LOG5[12]: s_connect: connected
bbb.bbb.bbb.bbb:10062
Nov 10 12:05:50 HOST1 stunnel: LOG6[12]: persistence: bbb.bbb.bbb.bbb:10062
cached
Nov 10 12:05:50 HOST1 stunnel: LOG5[12]: Service [VPN1] connected remote server
from xxx.xxx.xxx.xxx:60098
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
