[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Fri Jan 14 08:08:58 EET 2022
Hello,
I can confirm that the IKEv2 connection was alive for the entire night
of testing:
000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27522s;
newest; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 6s;
EXPIRE in 28536s; newest; eroute owner; IKE SA #80; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.a8ff51a4 at 94.253.210.164
esp.303eb9bd at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3
Traffic: ESPin=1MB ESPout=41MB ESPmax=0B
Less than 10 seconds from initiating IKEv2 connection from the Android
tablet (Samsung Galaxy Tab S6 Lite), the connection was severed. But
both ends still think it is connected:
000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27299s; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28313s;
IKE SA #80; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.a8ff51a4 at 94.253.210.164
esp.303eb9bd at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3
Traffic: ESPin=2MB ESPout=105MB ESPmax=0B
000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28745s;
newest; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 5s;
EXPIRE in 28745s; newest; eroute owner; IKE SA #83; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.cf38d849 at 94.253.210.164
esp.476cc068 at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3
Traffic: ESPin=145KB ESPout=10MB ESPmax=0B
Now I tested ping 8.8.8.8 and it is also down, while
whatismyipaddress.com shows that the Android tablet is connected. :-/
The session log is here (only the interesting event, not the entire
night of testing): https://domac.alu.hr/mtodorov/ikev2-20220113-03.log
After I reconnected Windows 10, the Android device appears kicked out ...
But it isn't shown in `ipsec showstates`, as it still believes it has
connection on both devices:
000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28290s; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28290s;
IKE SA #83; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.cf38d849 at 94.253.210.164
esp.476cc068 at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3
Traffic: ESPin=864KB ESPout=12MB ESPmax=0B
000 #86: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28667s;
newest; idle;
000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 17s;
EXPIRE in 28667s; newest; eroute owner; IKE SA #86; idle;
000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.2dcf960 at 94.253.210.164
esp.ea55d21d at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3
Traffic: ESPin=2MB ESPout=9MB ESPmax=0B
On average, we will have only one user on the VPN for the most times,
but two accountants could accidentally kick out each other, couldn't they?
I hope any of this helps.
BTW, Android L2TP connection tested with 4.5 USE_DH2=true did not
connect from Android, while it did from Windows 10. I would like to have
them all running stable and symmetrically.
Kind regards,
Mirsad Todorovac
On 1/13/2022 11:36 PM, Mirsad Goran Todorovac wrote:
> Hello,
>
> I tried to summarize in the title, and so far I have been able to
> associate the teardown of Windows 10 data stream with a simultaneous
> IKEv2 connection that came during the test signal (live TV stream)
> from an Android tablet on our test Linux server.
>
> The Windows laptop had no realtime stream and neither DNS resolution.
> I did not check ping, but I suspect it wouldn't pass either by the
> symptoms.
>
> This time I compiled without the USE_DH2=true and used it with
> ms-dh-downgrade=true.
>
> conn MYCONN-ikev2-cp
> # The server's actual IP goes here - not elastic IPs
> left=161.53.235.3
> leftcert=vpn.alu.hr
> leftid=@vpn.alu.hr
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> leftrsasigkey=%cert
> # Clients
> right=%any
> # your addresspool to use - you might need NAT rules if
> providing full internet to clients
> rightaddresspool=192.168.101.10-192.168.101.253
> # optional rightid with restrictions
> rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
> rightca=%same
> rightrsasigkey=%cert
> #
> # connection configuration
> # DNS servers for clients to use
> modecfgdns=8.8.8.8,192.168.100.1
> # Versions up to 3.22 used modecfgdns1 and modecfgdns2
> #modecfgdns1=8.8.8.8
> #modecfgdns2=193.110.157.123
> narrowing=yes
> # recommended dpd/liveness to cleanup vanished clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> auto=add
> ikev2=insist
> rekey=no
> esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
>
> #
> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
> # ikev2 fragmentation support requires libreswan 3.14 or newer
> fragmentation=yes
> # optional PAM username verification (eg to implement
> bandwidth quota
> # pam-authorize=yes
> ms-dh-downgrade=yes
> authby=rsa-sha1
>
> Both the `ipsec showstates` and Windows 10 did not reflect that the
> data stream was interrupted, and eithe had Android.
>
> Here is the session log 1 and log2.
> The interesting part is probably close to the end of both logs.
>
> [1] https://domac.alu.hr/mtodorov/ikev2-20220113-01.log
> [2] https://domac.alu.hr/mtodorov/ikev2-20220113-02.log
>
> I will supply more information as I am testing. I wonder if this is
> related to removal of USE_DH2=true from the compilation or will the
> connection be stable unless there is an interference from another
> (Android) client. The Android had also lost connectivity, though the
> wizard said "Connected".
>
> Hope this helps. I would have to revert to 4.5 and USE_DH2=true and I
> don't think it would be prudent to move it to the production VPN until
> we resolve such issues :-/
>
> The accountant guy would think I'm incompetent if his VPN connection
> breaks in the middle of accounting salaries :-(
>
> Any idea?
>
> Kind regards,
> Mirsad
>
> --
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list