[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Fri Jan 14 08:08:58 EET 2022 

Hello,

I can confirm that the IKEv2 connection was alive for the entire night 
of testing:

000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27522s; 
newest; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 6s; 
EXPIRE in 28536s; newest; eroute owner; IKE SA #80; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.a8ff51a4 at 94.253.210.164 
esp.303eb9bd at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 
Traffic: ESPin=1MB ESPout=41MB ESPmax=0B

Less than 10 seconds from initiating IKEv2 connection from the Android 
tablet (Samsung Galaxy Tab S6 Lite), the connection was severed. But 
both ends still think it is connected:

000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27299s; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28313s; 
IKE SA #80; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.a8ff51a4 at 94.253.210.164 
esp.303eb9bd at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 
Traffic: ESPin=2MB ESPout=105MB ESPmax=0B
000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28745s; 
newest; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 5s; 
EXPIRE in 28745s; newest; eroute owner; IKE SA #83; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.cf38d849 at 94.253.210.164 
esp.476cc068 at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 
Traffic: ESPin=145KB ESPout=10MB ESPmax=0B

Now I tested ping 8.8.8.8 and it is also down, while 
whatismyipaddress.com shows that the Android tablet is connected. :-/

The session log is here (only the interesting event, not the entire 
night of testing): https://domac.alu.hr/mtodorov/ikev2-20220113-03.log

After I reconnected Windows 10, the Android device appears kicked out ...

But it isn't shown in `ipsec showstates`, as it still believes it has 
connection on both devices:

000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28290s; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28290s; 
IKE SA #83; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.cf38d849 at 94.253.210.164 
esp.476cc068 at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 
Traffic: ESPin=864KB ESPout=12MB ESPmax=0B
000 #86: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28667s; 
newest; idle;
000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 17s; 
EXPIRE in 28667s; newest; eroute owner; IKE SA #86; idle;
000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164 esp.2dcf960 at 94.253.210.164 
esp.ea55d21d at 161.53.235.3 tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 
Traffic: ESPin=2MB ESPout=9MB ESPmax=0B

On average, we will have only one user on the VPN for the most times, 
but two accountants could accidentally kick out each other, couldn't they?

I hope any of this helps.

BTW, Android L2TP connection tested with 4.5 USE_DH2=true did not 
connect from Android, while it did from Windows 10. I would like to have 
them all running stable and symmetrically.

Kind regards,
Mirsad Todorovac

On 1/13/2022 11:36 PM, Mirsad Goran Todorovac wrote:
> Hello,
>
> I tried to summarize in the title, and so far I have been able to 
> associate the teardown of Windows 10 data stream with a simultaneous 
> IKEv2 connection that came during the test signal (live TV stream) 
> from an Android tablet on our test Linux server.
>
> The Windows laptop had no realtime stream and neither DNS resolution. 
> I did not check ping, but I suspect it wouldn't pass either by the 
> symptoms.
>
> This time I compiled without the USE_DH2=true and used it with 
> ms-dh-downgrade=true.
>
> conn MYCONN-ikev2-cp
>         # The server's actual IP goes here - not elastic IPs
>         left=161.53.235.3
>         leftcert=vpn.alu.hr
>         leftid=@vpn.alu.hr
>         leftsendcert=always
>         leftsubnet=0.0.0.0/0
>         leftrsasigkey=%cert
>         # Clients
>         right=%any
>         # your addresspool to use - you might need NAT rules if 
> providing full internet to clients
>         rightaddresspool=192.168.101.10-192.168.101.253
>         # optional rightid with restrictions
>         rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
>         rightca=%same
>         rightrsasigkey=%cert
>         #
>         # connection configuration
>         # DNS servers for clients to use
>         modecfgdns=8.8.8.8,192.168.100.1
>         # Versions up to 3.22 used modecfgdns1 and modecfgdns2
>         #modecfgdns1=8.8.8.8
>         #modecfgdns2=193.110.157.123
>         narrowing=yes
>         # recommended dpd/liveness to cleanup vanished clients
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         auto=add
>         ikev2=insist
>         rekey=no
> esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1 
>
>         # 
> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
>         # ikev2 fragmentation support requires libreswan 3.14 or newer
>         fragmentation=yes
>         # optional PAM username verification (eg to implement 
> bandwidth quota
>         # pam-authorize=yes
>         ms-dh-downgrade=yes
>         authby=rsa-sha1
>
> Both the `ipsec showstates` and Windows 10 did not reflect that the 
> data stream was interrupted, and eithe had Android.
>
> Here is the session log 1 and log2.
> The interesting part is probably close to the end of both logs.
>
> [1] https://domac.alu.hr/mtodorov/ikev2-20220113-01.log
> [2] https://domac.alu.hr/mtodorov/ikev2-20220113-02.log
>
> I will supply more information as I am testing. I wonder if this is 
> related to removal of USE_DH2=true from the compilation or will the 
> connection be stable unless there is an interference from another 
> (Android) client. The Android had also lost connectivity, though the 
> wizard said "Connected".
>
> Hope this helps. I would have to revert to 4.5 and USE_DH2=true and I 
> don't think it would be prudent to move it to the production VPN until 
> we resolve such issues :-/
>
> The accountant guy would think I'm incompetent if his VPN connection 
> breaks in the middle of accounting salaries :-(
>
> Any idea?
>
> Kind regards,
> Mirsad
>
> -- 
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list