Hello, I'm using strongswan for a couple of years now, and I'm facing a recurring strange behavior, very difficult to track as I'm not that fluent in IPSEC configuration.
The network often goes down between hosts, without any reason, and not always in both ways (host1=>host2 may stopped working, with host2=>host1 still working). The only solution I found is to restart strongswan on all servers, but I'm sure this is a very bad solution :) If someone can have a rapid look at the following in case something is so evident I should have noticed it... I'm also interresting in a way to analyze the situation, if it helps. My goal is to have specific hosts communicating together with IPSEC encryption. Let say with 3 hosts host1, host2 and host3: - host1 <=> host2 encrypted - host1 <=> host3 encrypted - host2 <=> host3 encrypted All hosts have 2 network cards, one connected to the network (192.*), and on on a private network (10.*) NOTE: due to a required compatbility with Windows, I'm still using IKEv1 and not v2. To achieve this, I've just installed strongswan (strongswan-5.6.1-2.el7.x86_64) on all servers, generate a certificate for each host (from a common CA), and configured ipsec.conf and ipsec.secrets file. All configuration files are the the same on all 3 servers, changing only the according IP and host names, of course. - /etc/strongswan/ipsec.d/cacerts/ca.crt : the CA - /etc/strongswan/ipsec.d/certs/server.crt : the host public key - /etc/strongswan/ipsec.d/private/server.key : the host private key - /etc/strongswan/ipsec.secrets : RSA server.key - /etc/strongswan/ipsec.conf (for host1) config setup uniqueids = no conn "AutoConfig Enc host1" auto=ignore type=transport keyexchange=ikev1 authby=rsasig ike=aes256-sha256-modp2048! esp=aes256gcm128-aes256gmac-modp2048! ikelifetime=8h lifetime=1h lifebytes=10000000000 leftcert=server-host1.crt leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1, [email protected]" conn "AutoConfig Enc host1-1" auto=ignore type=transport keyexchange=ikev1 authby=rsasig ike=aes256-sha256-modp2048! esp=aes256gcm128-aes256gmac-modp2048! ikelifetime=8h lifetime=1h lifebytes=10000000000 leftcert=server-host1-1.crt leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1-1, [email protected]" conn "AutoConfig tcp host1:* <-> host2:*" also="AutoConfig Enc host1" auto=route left=190.0.0.1 leftsubnet=190.0.0.1[tcp/%any] right=190.0.0.2 rightsubnet=190.0.0.2[tcp/%any] rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2, [email protected]" conn "AutoConfig tcp host1:* <-> host3:*" also="AutoConfig Enc host1" auto=route left=190.0.0.1 leftsubnet=190.0.0.1[tcp/%any] right=190.0.0.3 rightsubnet=190.0.0.3[tcp/%any] rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3, [email protected]" conn "AutoConfig tcp host1-1:* <-> host2-1:*" also="AutoConfig Enc host1-1" auto=route left=10.0.0.1 leftsubnet=10.0.0.1[tcp/%any] right=10.0.0.2 rightsubnet=10.0.0.2[tcp/%any] rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2-1, [email protected]" conn "AutoConfig tcp host1-1:* <-> host3-1:*" also="AutoConfig Enc host1-1" auto=route left=10.0.0.1 leftsubnet=10.0.0.1[tcp/%any] right=10.0.0.3 rightsubnet=10.0.0.3[tcp/%any] rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3-1, [email protected]" #iptables -S (for host1) -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -s 190.0.0.2/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -s 190.0.0.3/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -s 10.0.0.2/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -s 10.0.0.3/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited Many thanks, Christian
