[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Fri Jan 14 10:26:31 EET 2022
P.P.S.
I apologize for the table was garbled by Thunderbird, so I will repost
it as a snip:
Sorry for the inconvenience.
Kind regards,
Mirsad Todorovac
On 1/14/2022 9:21 AM, Mirsad Goran Todorovac wrote:
> P.S.
>
> I am testing the stuff more thoroughly for interoperability. :-)
>
> Apparently, it works like this compatibility matrix:
>
> L2TP win 10 L2TP Android IKEv2 win10 IKEv2
> Android multiple multiple
> connect connect connect
> connect L2TP IKEv2
>
> 4.5 USE_DH2=true + + + + + -
> 4.5 USE_DH2=false not tested
> 4.6 USE_DH2=true + + + + + -
> 4.6 USE_DH2=false + - + + + -
>
> Android includes testing both on Samsung Galaxy A22 5G phone and Tab
> S6 Lite tablet.
>
> Apparently, concurrent 4.5 USE_DH2=true or IKEv2 doesn't work either,
> so I may have to revert the settings from our accountant to L2TP
> connection, despite being slower, for it seems awkward that I might
> preempt his accounting session while testing the stuff.
>
> It seemed that I have a bit rushed things with the upgrade to IKEv2,
> thinking that it will be safe just as L2TP setup?
> Is there something I'm doing wrong in the ikev2.conf below, or is it a
> bug in libreswan? It seems unlikely that such behavior was left
> unnoticed until now, but at least it appears that it is not a
> regression in 4.6 compared to 4.5. :-/
>
> I hope this helps, and I am hoping there is a workaround or fix.
> (I am currently testing concurrent L2TP from 3 devices for several
> hours ...).
>
> Kind regards,
> Mirsad Todorovac
>
> On 1/14/2022 7:08 AM, Mirsad Goran Todorovac wrote:
>> Hello,
>>
>> I can confirm that the IKEv2 connection was alive for the entire
>> night of testing:
>>
>> 000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
>> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27522s;
>> newest; idle;
>> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
>> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 6s;
>> EXPIRE in 28536s; newest; eroute owner; IKE SA #80; idle;
>> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164
>> esp.a8ff51a4 at 94.253.210.164 esp.303eb9bd at 161.53.235.3
>> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=1MB
>> ESPout=41MB ESPmax=0B
>>
>> Less than 10 seconds from initiating IKEv2 connection from the
>> Android tablet (Samsung Galaxy Tab S6 Lite), the connection was
>> severed. But both ends still think it is connected:
>>
>> 000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
>> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27299s;
>> idle;
>> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
>> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in
>> 28313s; IKE SA #80; idle;
>> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164
>> esp.a8ff51a4 at 94.253.210.164 esp.303eb9bd at 161.53.235.3
>> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=2MB
>> ESPout=105MB ESPmax=0B
>> 000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
>> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28745s;
>> newest; idle;
>> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
>> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 5s;
>> EXPIRE in 28745s; newest; eroute owner; IKE SA #83; idle;
>> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164
>> esp.cf38d849 at 94.253.210.164 esp.476cc068 at 161.53.235.3
>> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=145KB
>> ESPout=10MB ESPmax=0B
>>
>> Now I tested ping 8.8.8.8 and it is also down, while
>> whatismyipaddress.com shows that the Android tablet is connected. :-/
>>
>> The session log is here (only the interesting event, not the entire
>> night of testing): https://domac.alu.hr/mtodorov/ikev2-20220113-03.log
>>
>> After I reconnected Windows 10, the Android device appears kicked out
>> ...
>>
>> But it isn't shown in `ipsec showstates`, as it still believes it has
>> connection on both devices:
>>
>> 000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
>> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28290s;
>> idle;
>> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
>> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in
>> 28290s; IKE SA #83; idle;
>> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164
>> esp.cf38d849 at 94.253.210.164 esp.476cc068 at 161.53.235.3
>> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=864KB
>> ESPout=12MB ESPmax=0B
>> 000 #86: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
>> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28667s;
>> newest; idle;
>> 000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
>> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in
>> 17s; EXPIRE in 28667s; newest; eroute owner; IKE SA #86; idle;
>> 000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164
>> esp.2dcf960 at 94.253.210.164 esp.ea55d21d at 161.53.235.3
>> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=2MB ESPout=9MB
>> ESPmax=0B
>>
>> On average, we will have only one user on the VPN for the most times,
>> but two accountants could accidentally kick out each other, couldn't
>> they?
>>
>> I hope any of this helps.
>>
>> BTW, Android L2TP connection tested with 4.5 USE_DH2=true did not
>> connect from Android, while it did from Windows 10. I would like to
>> have them all running stable and symmetrically.
>>
>> Kind regards,
>> Mirsad Todorovac
>>
>> On 1/13/2022 11:36 PM, Mirsad Goran Todorovac wrote:
>>> Hello,
>>>
>>> I tried to summarize in the title, and so far I have been able to
>>> associate the teardown of Windows 10 data stream with a simultaneous
>>> IKEv2 connection that came during the test signal (live TV stream)
>>> from an Android tablet on our test Linux server.
>>>
>>> The Windows laptop had no realtime stream and neither DNS
>>> resolution. I did not check ping, but I suspect it wouldn't pass
>>> either by the symptoms.
>>>
>>> This time I compiled without the USE_DH2=true and used it with
>>> ms-dh-downgrade=true.
>>>
>>> conn MYCONN-ikev2-cp
>>> # The server's actual IP goes here - not elastic IPs
>>> left=161.53.235.3
>>> leftcert=vpn.alu.hr
>>> leftid=@vpn.alu.hr
>>> leftsendcert=always
>>> leftsubnet=0.0.0.0/0
>>> leftrsasigkey=%cert
>>> # Clients
>>> right=%any
>>> # your addresspool to use - you might need NAT rules if
>>> providing full internet to clients
>>> rightaddresspool=192.168.101.10-192.168.101.253
>>> # optional rightid with restrictions
>>> rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
>>> rightca=%same
>>> rightrsasigkey=%cert
>>> #
>>> # connection configuration
>>> # DNS servers for clients to use
>>> modecfgdns=8.8.8.8,192.168.100.1
>>> # Versions up to 3.22 used modecfgdns1 and modecfgdns2
>>> #modecfgdns1=8.8.8.8
>>> #modecfgdns2=193.110.157.123
>>> narrowing=yes
>>> # recommended dpd/liveness to cleanup vanished clients
>>> dpddelay=30
>>> dpdtimeout=120
>>> dpdaction=clear
>>> auto=add
>>> ikev2=insist
>>> rekey=no
>>> esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
>>>
>>> #
>>> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
>>> # ikev2 fragmentation support requires libreswan 3.14 or newer
>>> fragmentation=yes
>>> # optional PAM username verification (eg to implement
>>> bandwidth quota
>>> # pam-authorize=yes
>>> ms-dh-downgrade=yes
>>> authby=rsa-sha1
>>>
>>> Both the `ipsec showstates` and Windows 10 did not reflect that the
>>> data stream was interrupted, and eithe had Android.
>>>
>>> Here is the session log 1 and log2.
>>> The interesting part is probably close to the end of both logs.
>>>
>>> [1] https://domac.alu.hr/mtodorov/ikev2-20220113-01.log
>>> [2] https://domac.alu.hr/mtodorov/ikev2-20220113-02.log
>>>
>>> I will supply more information as I am testing. I wonder if this is
>>> related to removal of USE_DH2=true from the compilation or will the
>>> connection be stable unless there is an interference from another
>>> (Android) client. The Android had also lost connectivity, though the
>>> wizard said "Connected".
>>>
>>> Hope this helps. I would have to revert to 4.5 and USE_DH2=true and
>>> I don't think it would be prudent to move it to the production VPN
>>> until we resolve such issues :-/
>>>
>>> The accountant guy would think I'm incompetent if his VPN connection
>>> breaks in the middle of accounting salaries :-(
>>>
>>> Any idea?
>>>
>>> Kind regards,
>>> Mirsad
>>>
>>> --
>>> Mirsad Goran Todorovac
>>> CARNet sistem inženjer
>>> Grafički fakultet | Akademija likovnih umjetnosti
>>> Sveučilište u Zagrebu
>>
>> --
>> Mirsad Goran Todorovac
>> CARNet sistem inženjer
>> Grafički fakultet | Akademija likovnih umjetnosti
>> Sveučilište u Zagrebu
>
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220114/f3566737/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: E22vC906PKXAJ9o5.png
Type: image/png
Size: 5366 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220114/f3566737/attachment-0001.png>
More information about the Swan
mailing list