[Swan] Fwd: Problem with random rekey failures
Miguel Ponce Antolin
mponce at paradigmadigital.com
Wed Jun 16 06:54:44 UTC 2021
Hi and thank you so much Paul for your answer.
We were thinking to upgrade it, so we are going to try it. Thanks for the
binary compiled, I had just compiled it yesterday but I prefer this way.
Some questions that came to me with the upgrade option,
- Is it still needed to separate the rightsubnets? And do you create them
on different files? I have understood that you create them on the same conf
file.
- The ikelifetime and salifetime for rekeying is still a problem on version
4.4-1?, I think it is recommended anyway.
Thanks again,
Best Regards!
El mar, 15 jun 2021 a las 17:40, Paul Wouters (<paul at nohats.ca>) escribió:
> On Tue, 15 Jun 2021, Miguel Ponce Antolin wrote:
>
> > I have been suffering a random problem with libreswan v3.25 when
> connecting an AWS EC2 Instance running Libreswan and a Cisco ASA on the
> other end.
>
> Is it possible to test v4.4 ? We have rpms build on
> download.libreswan.org/binaries/
>
> Specifically, with the many subnets you are likely needing this fix from
> 4.4:
>
> * IKEv2: Connections would not always switch when needed [Andrew/Paul]
>
> But the changelog between 3.25 and 4.4 is huge. There might be other
> items you need too.
>
> Alternatively, you can try and split up your subnetS into different
> conns, eg:
>
>
> conn vpn
> type=tunnel
> authby=secret
> # use auto=ignore, will be read in via also= statements
> auto=ignore
> left=%defaultroute
> leftid=xxx.xxx.xxx.120
> leftsubnets=xxx.xxx.xxx.80/28
> right=xxx.xxx.xxx.45
> rightid=xxx.xxx.xxx.45
> # no rightsubnet= here
> # dont use this with more than one subnet...
> leftsourceip=xxx.xxx.xxx.92
> ikev2=insist
> ike=aes256-sha2;dh14
> esp=aes256-sha256
> keyexchange=ike
> ikelifetime=28800s
> salifetime=28800s
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> encapsulation=no
>
> conn vpn-1
> also=vpn
> auto=start
> rightsubnet=10.subnet.1.0/22
>
> conn vpn-2
> also=vpn
> auto=start
> rightsubnet=10.subnet.2.0/20
>
> [...]
>
> conn vpn-18
> also=vpn
> auto=start
> rightsubnet=10.subnet.18.9/32
>
>
> This uses a slightly different code path to get all the tunnels loaded and
> active.
>
> > We tried to "force" to reconnect using the ping command to an IP in
> various rightsubnets but when the problem is active we continously are
> seeing this
> > kind of logs:
>
> That would be hacky and not really solve race conditions.
>
> > Jun 11 11:17:25.795153: "vpn/1x15" #221: message id deadlock? wait
> sending, add to send next list using parent #165 unacknowledged 1 next
> message
> > id=63 ike exchange window 1
>
> Note that this is a bit of a concern. You can only have one IKE message
> outstanding, and this indicates that the Cisco might not be answering
> that outstanding message, and so the only thing libreswan can do is
> wait longer or restart _everything_ related to that IKE SA, so that
> means all tunnels. We did reduce the change of message id deadlock
> some point in the past with our pending() code, so again tetsing
> with an upgraded libreswan would be a useful test.
>
> > Is there any troubleshooting we could do in order to know where the
> rekey request is lost or why is not trying to rekey at all when this
> problem is
> > active?
>
> Depending on what the issues are, you can try to ensure either libreswan
> or Cisco is always the rekey initiator by tweaking the ikelifetime and
> salifetime. Eg try ikelifetime=24h with salifetime=8h and most likely
> Cisco will trigger all the rekeys. Or use ikelifetime=2h and
> salifetime=1h to make libreswan likely always initiate the rekeys.
>
> Paul
>
--
[image: Logo Especialidad]
*Miguel Ponce Antolín.*
Sistemas · +34 670 360 655
[image: Linea]
[image: Logo Paradigma] · paradig.ma <https://www.paradigmadigital.com/>
· contáctanos <https://www.paradigmadigital.com/contacto> · [image:
Twitter] <https://twitter.com/paradigmate> [image: Youtube]
<https://www.youtube.com/user/ParadigmaTe?feature=watch> [image: Linkedin]
<https://www.linkedin.com/company/paradigma-digital/> [image: Instagram]
<https://www.instagram.com/paradigma_digital/?hl=es>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210616/08452fe3/attachment-0001.html>
More information about the Swan
mailing list