[Swan] Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Fri Jan 14 10:21:31 EET 2022 

P.S.

I am testing the stuff more thoroughly for interoperability. :-)

Apparently, it works like this compatibility matrix:

                        L2TP win 10  L2TP Android  IKEv2 win10  IKEv2 
Android  multiple  multiple
                        connect      connect       connect 
connect        L2TP      IKEv2

4.5 USE_DH2=true       + +             +            +              
+         -
4.5 USE_DH2=false      not tested
4.6 USE_DH2=true       +            +             + +              
+         -
4.6 USE_DH2=false      +            -             + +              
+         -

Android includes testing both on Samsung Galaxy A22 5G phone and Tab S6 
Lite tablet.

Apparently, concurrent 4.5 USE_DH2=true or IKEv2 doesn't work either, so 
I may have to revert the settings from our accountant to L2TP 
connection, despite being slower, for it seems awkward that I might 
preempt his accounting session while testing the stuff.

It seemed that I have a bit rushed things with the upgrade to IKEv2, 
thinking that it will be safe just as L2TP setup?
Is there something I'm doing wrong in the ikev2.conf below, or is it a 
bug in libreswan? It seems unlikely that such behavior was left 
unnoticed until now, but at least it appears that it is not a regression 
in 4.6 compared to 4.5. :-/

I hope this helps, and I am hoping there is a workaround or fix.
(I am currently testing concurrent L2TP from 3 devices for several hours 
...).

Kind regards,
Mirsad Todorovac

On 1/14/2022 7:08 AM, Mirsad Goran Todorovac wrote:
> Hello,
>
> I can confirm that the IKEv2 connection was alive for the entire night 
> of testing:
>
> 000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27522s; 
> newest; idle;
> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 6s; 
> EXPIRE in 28536s; newest; eroute owner; IKE SA #80; idle;
> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 
> esp.a8ff51a4 at 94.253.210.164 esp.303eb9bd at 161.53.235.3 
> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=1MB ESPout=41MB 
> ESPmax=0B
>
> Less than 10 seconds from initiating IKEv2 connection from the Android 
> tablet (Samsung Galaxy Tab S6 Lite), the connection was severed. But 
> both ends still think it is connected:
>
> 000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27299s; idle;
> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 
> 28313s; IKE SA #80; idle;
> 000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 
> esp.a8ff51a4 at 94.253.210.164 esp.303eb9bd at 161.53.235.3 
> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=2MB 
> ESPout=105MB ESPmax=0B
> 000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28745s; 
> newest; idle;
> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 5s; 
> EXPIRE in 28745s; newest; eroute owner; IKE SA #83; idle;
> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 
> esp.cf38d849 at 94.253.210.164 esp.476cc068 at 161.53.235.3 
> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=145KB 
> ESPout=10MB ESPmax=0B
>
> Now I tested ping 8.8.8.8 and it is also down, while 
> whatismyipaddress.com shows that the Android tablet is connected. :-/
>
> The session log is here (only the interesting event, not the entire 
> night of testing): https://domac.alu.hr/mtodorov/ikev2-20220113-03.log
>
> After I reconnected Windows 10, the Android device appears kicked out ...
>
> But it isn't shown in `ipsec showstates`, as it still believes it has 
> connection on both devices:
>
> 000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28290s; idle;
> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855 
> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 
> 28290s; IKE SA #83; idle;
> 000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 
> esp.cf38d849 at 94.253.210.164 esp.476cc068 at 161.53.235.3 
> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=864KB 
> ESPout=12MB ESPmax=0B
> 000 #86: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
> STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28667s; 
> newest; idle;
> 000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500 
> STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 17s; 
> EXPIRE in 28667s; newest; eroute owner; IKE SA #86; idle;
> 000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164 
> esp.2dcf960 at 94.253.210.164 esp.ea55d21d at 161.53.235.3 
> tun.0 at 94.253.210.164 tun.0 at 161.53.235.3 Traffic: ESPin=2MB ESPout=9MB 
> ESPmax=0B
>
> On average, we will have only one user on the VPN for the most times, 
> but two accountants could accidentally kick out each other, couldn't 
> they?
>
> I hope any of this helps.
>
> BTW, Android L2TP connection tested with 4.5 USE_DH2=true did not 
> connect from Android, while it did from Windows 10. I would like to 
> have them all running stable and symmetrically.
>
> Kind regards,
> Mirsad Todorovac
>
> On 1/13/2022 11:36 PM, Mirsad Goran Todorovac wrote:
>> Hello,
>>
>> I tried to summarize in the title, and so far I have been able to 
>> associate the teardown of Windows 10 data stream with a simultaneous 
>> IKEv2 connection that came during the test signal (live TV stream) 
>> from an Android tablet on our test Linux server.
>>
>> The Windows laptop had no realtime stream and neither DNS resolution. 
>> I did not check ping, but I suspect it wouldn't pass either by the 
>> symptoms.
>>
>> This time I compiled without the USE_DH2=true and used it with 
>> ms-dh-downgrade=true.
>>
>> conn MYCONN-ikev2-cp
>>         # The server's actual IP goes here - not elastic IPs
>>         left=161.53.235.3
>>         leftcert=vpn.alu.hr
>>         leftid=@vpn.alu.hr
>>         leftsendcert=always
>>         leftsubnet=0.0.0.0/0
>>         leftrsasigkey=%cert
>>         # Clients
>>         right=%any
>>         # your addresspool to use - you might need NAT rules if 
>> providing full internet to clients
>>         rightaddresspool=192.168.101.10-192.168.101.253
>>         # optional rightid with restrictions
>>         rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
>>         rightca=%same
>>         rightrsasigkey=%cert
>>         #
>>         # connection configuration
>>         # DNS servers for clients to use
>>         modecfgdns=8.8.8.8,192.168.100.1
>>         # Versions up to 3.22 used modecfgdns1 and modecfgdns2
>>         #modecfgdns1=8.8.8.8
>>         #modecfgdns2=193.110.157.123
>>         narrowing=yes
>>         # recommended dpd/liveness to cleanup vanished clients
>>         dpddelay=30
>>         dpdtimeout=120
>>         dpdaction=clear
>>         auto=add
>>         ikev2=insist
>>         rekey=no
>> esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1 
>>
>>         # 
>> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
>>         # ikev2 fragmentation support requires libreswan 3.14 or newer
>>         fragmentation=yes
>>         # optional PAM username verification (eg to implement 
>> bandwidth quota
>>         # pam-authorize=yes
>>         ms-dh-downgrade=yes
>>         authby=rsa-sha1
>>
>> Both the `ipsec showstates` and Windows 10 did not reflect that the 
>> data stream was interrupted, and eithe had Android.
>>
>> Here is the session log 1 and log2.
>> The interesting part is probably close to the end of both logs.
>>
>> [1] https://domac.alu.hr/mtodorov/ikev2-20220113-01.log
>> [2] https://domac.alu.hr/mtodorov/ikev2-20220113-02.log
>>
>> I will supply more information as I am testing. I wonder if this is 
>> related to removal of USE_DH2=true from the compilation or will the 
>> connection be stable unless there is an interference from another 
>> (Android) client. The Android had also lost connectivity, though the 
>> wizard said "Connected".
>>
>> Hope this helps. I would have to revert to 4.5 and USE_DH2=true and I 
>> don't think it would be prudent to move it to the production VPN 
>> until we resolve such issues :-/
>>
>> The accountant guy would think I'm incompetent if his VPN connection 
>> breaks in the middle of accounting salaries :-(
>>
>> Any idea?
>>
>> Kind regards,
>> Mirsad
>>
>> -- 
>> Mirsad Goran Todorovac
>> CARNet sistem inženjer
>> Grafički fakultet | Akademija likovnih umjetnosti
>> Sveučilište u Zagrebu
>
> -- 
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu

-- 
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list