[Swan] Tunnels coming establishing and dropping quickly
Madden, Joe
Joe.Madden at mottmac.com
Thu May 18 07:35:31 UTC 2017
Hi Paul,
We ended up narrowing it down to a configuration where leftsubnets is used with more than one subnet - Libreswan and Strongswan doesn't like it
Therefore we changed out configuration from the previous one to a new connection per subnet
However this also goes haywire with multiple new subnets being raised (Snapshot of ipsec status below)
000 #596: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 46819s; isakmp#0; idle; import:respond to stranger
000 #596: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #594: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 46759s; isakmp#0; idle; import:respond to stranger
000 #594: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #520: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 44229s; isakmp#0; idle; import:respond to stranger
000 #520: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #468: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 42526s; isakmp#0; idle; import:respond to stranger
000 #468: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #447: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 41541s; isakmp#0; idle; import:respond to stranger
000 #447: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #403: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 39657s; isakmp#0; idle; import:respond to stranger
000 #403: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #253: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 34760s; isakmp#0; idle; import:respond to stranger
000 #253: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #1622: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 26947s; isakmp#1621; idle; import:respond to stranger
000 #1622: "ssl-iptrafficsig-1-subnet-3" esp.c0b23e3e at 52.48.93.253 esp.d3d59d15 at 10.59.31.49 tun.0 at 52.48.93.253 tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=76B ESPin=0B! ESPmax=0B
000 #1621: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 84547s; isakmp#0; idle; import:respond to stranger
000 #1621: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #1559: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 24661s; isakmp#1558; idle; import:respond to stranger
000 #1559: "ssl-iptrafficsig-1-subnet-3" esp.c16dcb0c at 52.48.93.253 esp.c76b9749 at 10.59.31.49 tun.0 at 52.48.93.253 tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=76B ESPin=0B! ESPmax=0B
000 #1558: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 82261s; isakmp#0; idle; import:respond to stranger
000 #1558: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
000 #1547: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 24136s; isakmp#1546; idle; import:respond to stranger
000 #1547: "ssl-iptrafficsig-1-subnet-3" esp.c16e8eb2 at 52.48.93.253 esp.faf47d08 at 10.59.31.49 tun.0 at 52.48.93.253 tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=0B
000 #1546: "ssl-iptrafficsig-1-subnet-3":4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 81736s; isakmp#0; idle; import:respond to stranger
000 #1546: "ssl-iptrafficsig-1-subnet-3" ref=0 refhim=0 Traffic:
conn ssl-iptrafficsig-1-subnet-1
authby= secret
auto= start
type= tunnel
forceencaps= yes
rekeymargin= 3m
keyingtries= %forever
salifetime= 8h
ikelifetime= 24h
ikev2= insist
#RTT
left= 10.59.31.49
leftsubnet= 10.1.0.0/16
leftid= leftsubnet1 at nrts.com
leftnexthop= 10.59.31.54
#SAA
right= 52.48.93.253
rightid= rightsubnet1 at nrts.com
rightsubnet= 10.199.0.0/28
ike= aes256-sha2_512;modp2048
phase2= esp
phase2alg= aes256-sha2_512;modp2048
pfs= yes
sha2_truncbug= no
#Dead Peer Detection
dpdaction= restart
conn ssl-iptrafficsig-1-subnet-2
authby= secret
auto= start
type= tunnel
forceencaps= yes
rekeymargin= 3m
keyingtries= %forever
salifetime= 8h
ikelifetime= 24h
ikev2= insist
#RTT
left= 10.59.31.49
leftsubnet= 10.2.0.0/16
leftid= leftsubnet2 at nrts.com
leftnexthop= 10.59.31.54
#SAA
right= 52.48.93.253
rightid= rightsubnet2 at nrts.com
rightsubnet= 10.199.0.0/28
ike= aes256-sha2_512;modp2048
phase2= esp
phase2alg= aes256-sha2_512;modp2048
pfs= yes
sha2_truncbug= no
#Dead Peer Detection
dpdaction= restart
conn ssl-iptrafficsig-1-subnet-3
authby= secret
auto= start
type= tunnel
forceencaps= yes
rekeymargin= 3m
keyingtries= %forever
salifetime= 8h
ikelifetime= 24h
ikev2= insist
#RTT
left= 10.59.31.49
leftsubnet= 172.21.12.0/22
leftid= leftsubnet3 at nrts.com
leftnexthop= 10.59.31.54
#SAA
right= 52.48.93.253
rightid= rightsubnet3 at nrts.com
rightsubnet= 10.199.0.0/28
ike= aes256-sha2_512;modp2048
phase2= esp
phase2alg= aes256-sha2_512;modp2048
pfs= yes
sha2_truncbug= no
#Dead Peer Detection
dpdaction= restart
It works fine with one subnet but as soon as the 2nd or 3rd subnet is added it goes haywire.
Please see our log and the stongswan log below:
[root at ip-10-199-0-6 strongswan]# strongswan up motts_nrts_gateway_2
initiating IKE_SA motts_nrts_gateway_2[51] to extip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.199.0.6[500] to extip[500] (1404 bytes)
received packet: from extip[500] to 10.199.0.6[500] (424 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of 'rightsubnet2 at nrts.com' (myself) with pre-shared key
establishing CHILD_SA motts_nrts_gateway_2
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes)
retransmit 3 of request with message ID 1
sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes)
sending keep alive to extip[4500]
retransmit 4 of request with message ID 1
sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes)
sending keep alive to extip[4500]
sending keep alive to extip[4500]
retransmit 5 of request with message ID 1
sending packet: from 10.199.0.6[4500] to extip[4500] (464 bytes)
received packet: from extip[4500] to 10.199.0.6[4500] (424 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) ]
received message ID 0, expected 1. Ignored
sending keep alive to extip[4500]
sending keep alive to extip[4500]
sending keep alive to extip[4500]
giving up after 5 retransmits
peer not responding, trying again (2/0)
initiating IKE_SA motts_nrts_gateway_2[51] to extip
establishing connection 'motts_nrts_gateway_2' failed
Our Log:
May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1643: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048}
May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1643: new NAT mapping for #1643, was 52.48.93.253:500, now 52.48.93.253:4500
May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1643: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3"
May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1643: IKEv2 mode peer ID is ID_USER_FQDN: 'rightsubnet3 at nrts.com'
May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1644: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0]
May 18 07:18:08 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1644: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xc3a8826b <0x39cd4f43 xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive}
May 18 07:18:16 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #848: deleting state #848 (STATE_PARENT_R2)
May 18 07:18:16 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #848: ESP traffic information: in=0B out=0B
May 18 07:20:38 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW
May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1645: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048}
May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1645: new NAT mapping for #1645, was 52.48.93.253:500, now 52.48.93.253:4500
May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1645: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3"
May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1645: IKEv2 mode peer ID is ID_USER_FQDN: 'rightsubnet3 at nrts.com'
May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1646: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0]
May 18 07:20:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1646: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xc052fa1d <0x11dab2bd xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive}
May 18 07:20:53 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW
May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1647: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048}
May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1647: new NAT mapping for #1647, was 52.48.93.253:500, now 52.48.93.253:4500
May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1647: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3"
May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1647: IKEv2 mode peer ID is ID_USER_FQDN: 'rightsubnet3 at nrts.com'
May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1648: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0]
May 18 07:20:53 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1648: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xcb39e636 <0x60fa2531 xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive}
May 18 07:21:01 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #850: deleting state #850 (STATE_PARENT_R2)
May 18 07:21:01 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #850: ESP traffic information: in=16KB out=0B
May 18 07:22:21 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #853: deleting state #853 (STATE_PARENT_R2)
May 18 07:22:21 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #853: ESP traffic information: in=76B out=0B
May 18 07:23:23 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW
May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1649: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048}
May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1649: new NAT mapping for #1649, was 52.48.93.253:500, now 52.48.93.253:4500
May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1649: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3"
May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1649: IKEv2 mode peer ID is ID_USER_FQDN: 'rightsubnet3 at nrts.com'
May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1650: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0]
May 18 07:23:23 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1650: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xc85e7d0a <0x331a381b xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive}
May 18 07:23:38 fw pluto[21124]: packet from 52.48.93.253:500: initial parent SA message received on 10.59.31.49:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW
May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1651: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048}
May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1651: new NAT mapping for #1651, was 52.48.93.253:500, now 52.48.93.253:4500
May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-1" #1651: switched from "ssl-iptrafficsig-1-subnet-1" to "ssl-iptrafficsig-1-subnet-3"
May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1651: IKEv2 mode peer ID is ID_USER_FQDN: 'rightsubnet3 at nrts.com'
May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1652: negotiated tunnel [172.21.12.0,172.21.15.255:0-65535 0] -> [10.199.0.0,10.199.0.15:0-65535 0]
May 18 07:23:38 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #1652: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP/NAT=>0xccdc5980 <0xf90a6286 xfrm=AES_256-HMAC_SHA2_512 NATOA=none NATD=52.48.93.253:4500 DPD=passive}
May 18 07:23:46 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #855: deleting state #855 (STATE_PARENT_R2)
May 18 07:23:46 fw pluto[21124]: "ssl-iptrafficsig-1-subnet-3" #855: ESP traffic information: in=76B out=0B
I Don't see any packets being dropped, but strongswan doesn't appear to like a response we send it I guess?
Thanks for any help
Joe
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: 17 May 2017 15:18
To: Madden, Joe <Joe.Madden at mottmac.com>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Tunnels coming establishing and dropping quickly
On Wed, 17 May 2017, Madden, Joe wrote:
> We have having an issue with our Libreswan tunnels, They come up for a short amount of time before dropping off.
>
>
> May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3:
> STATE_PARENT_I1: sent v2I1, expected v2R1 May 17 12:45:44 fw
> pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: STATE_PARENT_I1: sent
> v2I1, expected v2R1 May 17 12:45:44 fw pluto[12003]:
> "ssl-nissen-1/13x0" #17: received Vendor ID payload [RFC 3947] May 17
> 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID
> payload [FRAGMENTATION c0000000] May 17 12:45:44 fw pluto[12003]:
> "ssl-nissen-1/13x0" #17: enabling possible NAT-traversal with method
> RFC 3947 (NAT-Traversal) May 17 12:45:44 fw pluto[12003]:
> "ssl-iptrafficsig-1/11x0" #6: STATE_PARENT_I1: sent v2I1, expected
> v2R1
Looks like the other end does not like your proposal?
>
> conn ssl-iptrafficsig-1
> authby= secret
> auto= start
> type= tunnel
> forceencaps= no
> rekeymargin= 3m
> keyingtries= %forever
> salifetime= 8h
> ikelifetime= 24h
> ikev2= insist
> initial-contact= yes
> send_vendorid= yes
>
> #RTT
> left= 10.59.31.49
Please remove empty lines, those denoate that a new conn section starts, and you might be missing part of your configuration.
> leftnexthop= 10.59.31.54
>
> #SAA
Same here.
> right= 54.247.187.81
> rightid= 54.247.187.81
> rightsubnet= 10.199.0.0/28
> ike= aes256-sha2_512;modp2048
> phase2= esp
> phase2alg= aes256-sha2_512;modp2048
> pfs= yes
> sha2_truncbug= no
>
> #Dead Peer Detection
And here.
> Stronswan configuration looks like this:
>
>
> ######### Connection to Mott NRTS Gateway-PSK ##### conn
> motts_nrts_gateway
> type=tunnel
> authby=secret
> forceencaps=no
> keyexchange=ikev2
> left=10.199.0.4
> leftsubnet=10.199.0.0/28
> leftid=54.247.187.81
> #leftfirewall=yes
> rightfirewall=yes
> ike=aes256-sha2_512-modp2048
> esp=aes256-sha2_512-modp2048
> right=extip
> rightid=extip
> rightsubnet=10.1.176.0/25,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.170.0/25,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26,10.2.170.0/26
> aggressive=no
> ikelifetime=24h
> keyingtries=%forever
> keylife=8h
> dpdaction=hold
> auto=start
> ######## End of MOTT NRTS Gateway Connection ###
>
>
> Does anyone have any suggestions to what could be the issue?
What does the strongswan log say?
Paul
More information about the Swan
mailing list