[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Fri Jan 14 00:36:14 EET 2022

Hello,

I tried to summarize in the title, and so far I have been able to 
associate the teardown of Windows 10 data stream with a simultaneous 
IKEv2 connection that came during the test signal (live TV stream) from 
an Android tablet on our test Linux server.

The Windows laptop had no realtime stream and neither DNS resolution. I 
did not check ping, but I suspect it wouldn't pass either by the symptoms.

This time I compiled without the USE_DH2=true and used it with 
ms-dh-downgrade=true.

conn MYCONN-ikev2-cp
         # The server's actual IP goes here - not elastic IPs
         left=161.53.235.3
         leftcert=vpn.alu.hr
         leftid=@vpn.alu.hr
         leftsendcert=always
         leftsubnet=0.0.0.0/0
         leftrsasigkey=%cert
         # Clients
         right=%any
         # your addresspool to use - you might need NAT rules if 
providing full internet to clients
         rightaddresspool=192.168.101.10-192.168.101.253
         # optional rightid with restrictions
         rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
         rightca=%same
         rightrsasigkey=%cert
         #
         # connection configuration
         # DNS servers for clients to use
         modecfgdns=8.8.8.8,192.168.100.1
         # Versions up to 3.22 used modecfgdns1 and modecfgdns2
         #modecfgdns1=8.8.8.8
         #modecfgdns2=193.110.157.123
         narrowing=yes
         # recommended dpd/liveness to cleanup vanished clients
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         auto=add
         ikev2=insist
         rekey=no
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
         # 
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
         # ikev2 fragmentation support requires libreswan 3.14 or newer
         fragmentation=yes
         # optional PAM username verification (eg to implement bandwidth 
quota
         # pam-authorize=yes
         ms-dh-downgrade=yes
         authby=rsa-sha1

Both the `ipsec showstates` and Windows 10 did not reflect that the data 
stream was interrupted, and eithe had Android.

Here is the session log 1 and log2.
The interesting part is probably close to the end of both logs.

[1] https://domac.alu.hr/mtodorov/ikev2-20220113-01.log
[2] https://domac.alu.hr/mtodorov/ikev2-20220113-02.log

I will supply more information as I am testing. I wonder if this is 
related to removal of USE_DH2=true from the compilation or will the 
connection be stable unless there is an interference from another 
(Android) client. The Android had also lost connectivity, though the 
wizard said "Connected".

Hope this helps. I would have to revert to 4.5 and USE_DH2=true and I 
don't think it would be prudent to move it to the production VPN until 
we resolve such issues :-/

The accountant guy would think I'm incompetent if his VPN connection 
breaks in the middle of accounting salaries :-(

Any idea?

Kind regards,
Mirsad

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355