[Swan] Swan Digest, Vol 97, Issue 17
Hans-Jürgen Brand
H-J.Brand at technology-experts.de
Fri Jan 22 13:39:01 UTC 2021
Hello i had the problem with the disconnect in 3.9xx ? I changed to 4.1 and change the config. Now it is working. Here is the part from config
--
fragmentation=yes
nat-keepalive=yes
leftmodecfgserver=yes
modecfgpull=yes
modecfgdns=172.20.129.150,8.8.8.8
leftsubnet=0.0.0.0/0
rekey=no
---
-----Ursprüngliche Nachricht-----
Von: Swan <swan-bounces at lists.libreswan.org> Im Auftrag von swan-request at lists.libreswan.org
Gesendet: Freitag, 22. Januar 2021 13:06
An: swan at lists.libreswan.org
Betreff: Swan Digest, Vol 97, Issue 17
Send Swan mailing list submissions to
swan at lists.libreswan.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.libreswan.org/mailman/listinfo/swan
or, via email, send a message with subject or body 'help' to
swan-request at lists.libreswan.org
You can reach the person managing the list at
swan-owner at lists.libreswan.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Swan digest..."
Today's Topics:
1. Re: disconnect after 3600s (Ant?nio Silva)
----------------------------------------------------------------------
Message: 1
Date: Fri, 22 Jan 2021 12:06:14 +0000
From: Ant?nio Silva <asilva at wirelessmundi.com>
To: Michael Schwartzkopff <ms at sys4.de>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] disconnect after 3600s
Message-ID: <B057A2B8-742B-4A75-9139-54617EDAB560 at wirelessmundi.com>
Content-Type: text/plain; charset="utf-8"
I just change my configuration adding ?rekey=yes?, waiting for the next hour do check the results.
--
Saludos / Regards / Cumprimentos
Ant?nio Silva
> On 22 Jan 2021, at 12:02, Ant?nio Silva <asilva at wirelessmundi.com> wrote:
>
> Hi,
>
> I?m having the same issue, after upgrading the server side to version 4.1, every hour the tunnel disconnects, restarting the client side only makes it work again.
>
>
> Here is the logs from the server side when the tunnel is reconnecting after an 1h:
>
> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93:
> initiating IKEv1 Main Mode connection to replace #89 Jan 22 12:37:36
> sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main Mode
> request, replacing #89 Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10]
> 95.61.168.133 #94: responding to Main Mode from unknown peer
> 95.61.168.133:500 Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10]
> 95.61.168.133 #94: sent Main Mode R1 Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent Main Mode R2 Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133: queuing pending IPsec SA negotiating with 95.61.168.133 IKE SA #93 "tunnel8"[10] 95.61.168.133 Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: IKE
> SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
> integ=HMAC_SHA2_256 group=MODP2048} Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0) Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: password file authentication method requested to authenticate user 'asilvapt at remote.local <mailto:asilvapt at remote.local>'
> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: password file (/etc/ipsec.d/passwd) open.
> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94:
> XAUTH: success user(asilvapt at remote.local
> <mailto:asilvapt at remote.local>:(null))
> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94:
> XAUTH: User asilvapt at remote.local <mailto:asilvapt at remote.local>:
> Authentication Successful Jan 22 12:37:36 sol pluto[24350]:
> "tunnel8"[10] 95.61.168.133 #94: XAUTH: xauth_inR1(STF_OK) Jan 22
> 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: IKE SA
> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
> group=MODP2048} Jan 22 12:37:36 sol pluto[24350]: | pool
> 192.168.20.2-192.168.20.2: growing address pool from 0 to 1 Jan 22
> 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94:
> modecfg_inR0(STF_OK) Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main Mode I2 Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main Mode I3 Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: IKE
> SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
> integ=HMAC_SHA2_256 group=MODP2048} Jan 22 12:37:37 sol pluto[24350]:
> "tunnel8"[10] 95.61.168.133 #93: XAUTH: Sending Username/Password
> request (MAIN_I4->XAUTH_R0) Jan 22 12:37:37 sol pluto[24350]:
> "tunnel8"[10] 95.61.168.133 #93: ignoring informational payload
> CERTIFICATE_UNAVAILABLE, msgid=00000000, length=12 Jan 22 12:37:37 sol
> pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: received and ignored
> notification payload: CERTIFICATE_UNAVAILABLE Jan 22 12:42:06 sol
> pluto[24350]: "tunnel8"[10] 95.61.168.133 #89: deleting state
> (STATE_MODE_CFG_R1) aged 3600.266987s and sending notification Jan 22
> 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: deleting
> state (STATE_QUICK_R2) aged 3600.089852s and sending notification Jan
> 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: ESP
> traffic information: in=11MB out=30MB XAUTHuser=asilvapt at remote.local
> <mailto:XAUTHuser=asilvapt at remote.local>
> Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: Warning: XAUTH username changed from '' to 'asilvaptremote.local'
> Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93:
> ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x3e9fbbf6) not found (maybe expired) Jan 22 12:42:06 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:42:36 sol pluto[24350]: existing bare shunt found - refusing
> to add a duplicate Jan 22 12:42:36 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:42:36 sol pluto[24350]: existing bare shunt found - refusing
> to add a duplicate Jan 22 12:42:36 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:43:06 sol pluto[24350]: existing bare shunt found - refusing
> to add a duplicate Jan 22 12:43:06 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:43:36 sol pluto[24350]: existing bare shunt found - refusing
> to add a duplicate Jan 22 12:43:36 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:44:06 sol pluto[24350]: existing bare shunt found - refusing
> to add a duplicate Jan 22 12:44:06 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:44:37 sol pluto[24350]: existing bare shunt found - refusing
> to add a duplicate Jan 22 12:44:37 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:45:07 sol pluto[24350]: existing bare shunt found - refusing
> to add a duplicate Jan 22 12:45:07 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?
> Jan 22 12:45:12 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93:
> received Delete SA payload: self-deleting ISAKMP State #93
>
>
>
>
> My configuration:
> conn tunnel8-aggr
> aggrmode=yes
> also=tunnel8
>
> conn tunnel8
> pfs=no
> type=tunnel
> auto=add
> ikev2=no
> phase2=esp
> authby=secret
> keyingtries=3
> ikelifetime=24h
> salifetime=1h
> left=92.211.123.17
> leftsubnet=0.0.0.0/0
> leftid=@xauth.remote.local <mailto:leftid=@xauth.remote.local>
> right=%any
> rightid=%any
> rightaddresspool=192.168.20.100-192.168.20.254
> dpddelay=30
> dpdtimeout=300
> dpdaction=clear
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> fragmentation=yes
> xauthby=file
>
>
>
>
>
>
> --
> Saludos / Regards / Cumprimentos
> Ant?nio Silva
>
>
>
>
>> On 21 Jan 2021, at 20:01, Michael Schwartzkopff <ms at sys4.de <mailto:ms at sys4.de>> wrote:
>>
>> On 21.01.21 20:53, Kontakt wrote:
>>> Hello,
>>> I have a problem. ipsec tunnel compiled on libreswan 4.1 (centos 8)
>>> for 1 client causes it to disconnect after 3600s. the same
>>> configuration on libreswan 3.23 (centos 7) does not cause such
>>> problems. conf file, password, iptables, entries in routing table identical.
>>> I checked sysctl - identical. the only difference is selinux (centos
>>> 7 has enforce, centos 8 disabled).
>>>
>>> libreswan 3.23 (centos 7):
>>>
>>> *ipsec verify*Verifying installed system and configuration files
>>>
>>> Version check and ipsec on-path [OK] Libreswan 3.23 (netkey) on
>>> 3.10.0-862.3.2.el7.x86_64 Checking for IPsec support in kernel [OK]
>>> NETKEY: Testing XFRM related proc values
>>> ICMP default / send_redirects [NOT DISABLED]
>>>
>>> Disable / proc / sys / net / ipv4 / conf / * / send_redirects or
>>> NETKEY will act on or cause sending of bogus ICMP redirects!
>>>
>>> ICMP default / accept_redirects [OK]
>>> XFRM larval drop [OK]
>>> Pluto ipsec.conf syntax [OK]
>>> Two or more interfaces found, checking IP forwarding [OK] Checking
>>> rp_filter [ENABLED] / proc / sys / net / ipv4 / conf / all /
>>> rp_filter [ENABLED] / proc / sys / net / ipv4 / conf / default /
>>> rp_filter [ENABLED] / proc / sys / net / ipv4 / conf / em1 /
>>> rp_filter [ENABLED] / proc / sys / net / ipv4 / conf / em2 /
>>> rp_filter [ENABLED] / proc / sys / net / ipv4 / conf / ip_vti0 /
>>> rp_filter [ENABLED]
>>> rp_filter is not fully aware of IPsec and should be disabled
>>> Checking that pluto is running [OK] Pluto listening for IKE on udp
>>> 500 [OK] Pluto listening for IKE / NAT-T on udp 4500 [OK] Pluto
>>> ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking
>>> 'iptables' command [OK] Checking 'prelink' command does not
>>> interfere with FIPS [OK] Checking for obsolete ipsec.conf options
>>> [OK]
>>>
>>> ipsec verify: encountered 12 errors - see 'man ipsec_verify' for
>>> help
>>>
>>> *And for libreswan 4.1 (centos 8):*
>>> * ipsec verify*
>>>
>>> Verifying installed system and configuration files
>>>
>>> Version check and ipsec on-path [OK] Libreswan 4.1 (netkey) on
>>> 4.18.0-193.28.1.el8_2.x86_64 Checking for IPsec support in kernel
>>> [OK]
>>> NETKEY: Testing XFRM related proc values
>>> ICMP default / send_redirects [OK]
>>> ICMP default / accept_redirects [OK]
>>> XFRM larval drop [OK]
>>> Pluto ipsec.conf syntax [OK]
>>> Checking rp_filter [OK]
>>> Checking that pluto is running [OK]
>>> Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE /
>>> NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip'
>>> command [OK] Checking 'iptables' command [OK] Checking 'prelink'
>>> command does not interfere with FIPS [OK] Checking for obsolete
>>> ipsec.conf options [OK]
>>>
>>> Where to look for the problem?
>>>
>>>
>>>
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>> <https://lists.libreswan.org/mailman/listinfo/swan>
>>
>>
>> Logs? of both sides?
>>
>> Seems the child negotiation somehow fails. But the reason should be in the logs.
>>
>>
>>
>> Mit freundlichen Gr??en,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de <https://sys4.de/>, +49 (89) 30 90 46 64
>> Schlei?heimer Stra?e 26/MG,80333 M?nchen
>>
>> Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
>> https://lists.libreswan.org/mailman/listinfo/swan
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210122/2848a24a/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
------------------------------
End of Swan Digest, Vol 97, Issue 17
************************************
More information about the Swan
mailing list