Hello Strongswan list, I have a trouble with an IPSEC site-to-site VPN from a Cisco ASA and strongswan version 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64.
With Strongwan, i want to send two subnet: 172.16.5.0/24 and 192.168.1.0/24. When i start strongswan, no error, all ping pass throught ipsec tunnel and no problem. After 7h (probably after a re-auth), two tunnels are inserted for the same subnet. The other subnet continue to work as expected. Only one "crash". One ping over two has been drop. Please find below output command of "statusall": *#strongswan statusallStatus of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64, x86_64): uptime: 26 hours, since Jan 03 14:53:30 2018 malloc: sbrk 1622016, mmap 0, used 529568, free 1092448 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8 loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unityListening IP addresses: 185.119.XXX.XXX 172.16.0.0 2a06:8bc0:XXX 10.8.0.1Connections: conn-1: * *185.119.XXX.YYY...46.31.ZZ.ZZ IKEv1 **conn-1: local: [* *185.119.XXX.YYY.] uses pre-shared key authentication **conn-1: remote: [* *46.31.ZZ.ZZ] uses pre-shared key authentication * *conn-1: child: 192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> TUNNEL * *conn-2: child: 172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> TUNNELSecurity Associations (1 up, 0 connecting): **conn-1[7]: ESTABLISHED 2 hours ago, **185.119.XXX.YYY.[* *185.119.XXX.YYY.]...**46.31.ZZ.ZZ[* *46.31.ZZ.ZZ] * *conn-1[7]: IKEv1 SPIs: f8490bafd768b806_i* 86c5c1b6cb09c905_r, pre-shared key reauthentication in 5 hours * *conn-1[7]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 * *conn-2{817}: INSTALLED, TUNNEL, reqid 71, ESP SPIs: c70f39e7_i 474d86cc_o * *conn-2{817}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 65021 bytes_i (1413 pkts, 27s ago), 1535741 bytes_o (3046 pkts, 27s ago), rekeying in 6 hours * *conn-2{817}: 172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> * *conn-1{867}: INSTALLED, TUNNEL, reqid 69, ESP SPIs: cf6a0fee_i 4d77c585_o * *conn-1{867}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 6 hours * *conn-1{867}: 192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29> * *conn-1{869}: INSTALLED, TUNNEL, reqid 69, ESP SPIs: c3e3a651_i 7d5fc4f2_o * *conn-1{869}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 4441746 bytes_i (3181 pkts, 419s ago), 54984 bytes_o (1373 pkts, 419s ago), rekeying in 6 hours * *conn-1{869}: 192.168.1.0/24 <http://192.168.1.0/24> === 10.2.1.192/29 <http://10.2.1.192/29>* Here my configuration: *# ipsec.conf - strongSwan IPsec configuration file# basic configurationconfig setup # strictcrlpolicy=yes charondebug="cfg 2, chd 1, dmn 1, ike 1, knl 1, net 1" # uniqueids = no# Add connections here.# Sample VPN connectionsconn conn--1 auto=start rightsubnet=192.168.1.0/24 <http://192.168.1.0/24> authby=secret compress=no closeaction=restart mobike=no keyexchange=ikev1 keyingtries=1 rekeymargin=3m ike=aes256-sha-modp1536 esp=aes256-sha-modp1024 ikelifetime=28800s lifetime=28800s left=46.31.ZZ.ZZ right=185.119.XXX.YYY leftsubnet=10.2.1.192/29 <http://10.2.1.192/29> leftid=46.31.ZZ.ZZ rightid=185.119.XXX.YYYconn conn-2 auto=start rightsubnet=172.16.5.0/24 <http://172.16.5.0/24> authby=secret compress=no closeaction=restart mobike=no rekeymargin=3m keyexchange=ikev1 ike=aes256-sha-modp1536 esp=aes256-sha-modp1024 ikelifetime=28800s keyingtries=1 lifetime=28800s left=46.31.ZZ.ZZ right=185.119.XXX.YYY leftsubnet=10.2.1.192/29 <http://10.2.1.192/29> leftid=46.31.ZZ.ZZ* If i set rightsubnet, separared by a comma, only one subnet over two is UP. I have disable cisco_unity plugin (same behaviour if this plugin is enabled). Do you have any hint to mount an IPSEC site-to-site, with two subnet, working even after a rekey or reauth ? Any logging lines can help me ? Thanks in advance, Regards. -- *Loïc CHABERT - Responsable technique* *Voxity - Libérez vos Télécoms* 85 Rue des Alliés 38100 Grenoble Tel : 0975181257 - Fax : 04.816.801.14 Email : [email protected] <[email protected]> Restons connectés : Site Web <http://www.voxity.fr> - Twitter <http://twitter.com/voxity> - Facebook <http://www.facebook.com/voxity> - L inkedIn <https://www.linkedin.com/profile/view?id=25351096> *Nouveau !* Découvrez Voxity en vidéo : Youtube <https://www.youtube.com/watch?v=nUVL5fTNmVU>
