Strongswan LTE connection re-establishing issue

0

Thank you for your help with my previous problem regarding Strongswan and allow me ask you for help one more. I have two networks connected to Strongswan server via two Mikrotik routers. The first router is connected to internet via cable modem and the second one via LTE mobile network. The configurations of IPsec and IKEv2 in the both routers are the same (except private network definition)

Mikrotik routers:

/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-   cbc lifetime=1h pfs-group=none
/ip ipsec peer add address=87.236.194.196/32 dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=ike2 lifetime=8h secret=XYZ
/ip ipsec policy add dst-address=192.168.80.0/24 sa-dst-address=87.236.194.196 sa-src-address=0.0.0.0 src-address=192.168.XX.0/24 tunnel=yes

Strongswan server:

config setup
  charondebug="all"
  uniqueids=yes
  strictcrlpolicy=no

conn %default
keyexchange=ikev2

conn tunnel 
  reauth=no
  rightsendcert=never
  left=87.236.194.196
  leftsubnet=192.168.80.0/24
  right=%any
  rightsubnet=0.0.0.0/0
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  authby=secret
  auto=route
  type=tunnel

I am testing the reliability of these connections so I switch-on the router, wait until connection is established, start pinging from server to router then switch-off the router for minute and then I switch-on the router again. With router connected via cable network it works as I suppose - router is unreachable since the moment when I switch-off the router until the router is switched-on and connection re-established and then pinging continue after something more than minute.

Here is the log from server:

Jun 19 19:09:32 mvvk4-1 charon: 13[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (296 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 19 19:09:32 mvvk4-1 charon: 13[IKE] 89.102.219.9 is initiating an IKE_SA
Jun 19 19:09:32 mvvk4-1 charon: 13[IKE] remote host is behind NAT
Jun 19 19:09:32 mvvk4-1 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 19 19:09:32 mvvk4-1 charon: 13[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (312 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 15[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (300 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] looking for peer configs matching 87.236.194.196[%any]...89.102.219.9[192.168.1.137]
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] selected peer config 'tunnel'
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] authentication of '192.168.1.137' with pre-shared key successful
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] IKE_SA tunnel[42] established between 87.236.194.196[87.236.194.196]...89.102.219.9[192.168.1.137]
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] scheduling rekeying in 2962s
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] maximum IKE_SA lifetime 3502s
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] CHILD_SA tunnel{58} established with SPIs c394e689_i 037ac6e1_o and TS 192.168.80.0/24 === 192.168.88.0/24
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:09:32 mvvk4-1 charon: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Jun 19 19:09:32 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (204 bytes)
Jun 19 19:10:16 mvvk4-1 charon: 05[IKE] sending DPD request
Jun 19 19:10:16 mvvk4-1 charon: 05[ENC] generating INFORMATIONAL request 0 [ ]
Jun 19 19:10:16 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:20 mvvk4-1 charon: 15[IKE] retransmit 1 of request with message ID 0
Jun 19 19:10:20 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:27 mvvk4-1 charon: 10[IKE] retransmit 2 of request with message ID 0
Jun 19 19:10:27 mvvk4-1 charon: 10[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:40 mvvk4-1 charon: 05[IKE] retransmit 3 of request with message ID 0
Jun 19 19:10:40 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 08[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (296 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 19 19:10:50 mvvk4-1 charon: 08[IKE] 89.102.219.9 is initiating an IKE_SA
Jun 19 19:10:50 mvvk4-1 charon: 08[IKE] remote host is behind NAT
Jun 19 19:10:50 mvvk4-1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 19 19:10:50 mvvk4-1 charon: 08[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (312 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 14[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (300 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] looking for peer configs matching     87.236.194.196[%any]...89.102.219.9[192.168.1.137]
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] selected peer config 'tunnel'
Jun 19 19:10:50 mvvk4-1 charon: 14[IKE] authentication of '192.168.1.137' with pre-shared key successful
Jun 19 19:10:50 mvvk4-1 charon: 14[IKE] destroying duplicate IKE_SA for peer '192.168.1.137', received INITIAL_CONTACT
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] IKE_SA tunnel[43] established between 87.236.194.196[87.236.194.196]...89.102.219.9[192.168.1.137]
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] scheduling rekeying in 2673s
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] maximum IKE_SA lifetime 3213s
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] CHILD_SA tunnel{59} established with SPIs c962c381_i 04c993a8_o and TS 192.168.80.0/24 === 192.168.88.0/24
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Jun 19 19:10:51 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (204 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 12[IKE] sending DPD request
Jun 19 19:11:39 mvvk4-1 charon: 12[ENC] generating INFORMATIONAL request 0 [ ]
Jun 19 19:11:39 mvvk4-1 charon: 12[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 07[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (108 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 07[ENC] parsed INFORMATIONAL response 0 [ ]
Jun 19 19:12:09 mvvk4-1 charon: 12[IKE] sending DPD request

When I do the same thing with router connected via LTE network the situation is completely different.

Here is the log after router is switched-on after about minute delay:

Jun 20 18:36:46 mvvk4-1 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 20 18:36:46 mvvk4-1 charon: 14[IKE] 89.24.60.60 is initiating an IKE_SA
Jun 20 18:36:46 mvvk4-1 charon: 14[IKE] remote host is behind NAT
Jun 20 18:36:46 mvvk4-1 charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 20 18:36:46 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (312 bytes)
Jun 20 18:36:46 mvvk4-1 charon: 13[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (332 bytes)
Jun 20 18:36:46 mvvk4-1 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] looking for peer configs matching 87.236.194.196[%any]...89.24.60.60[100.80.138.125]
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] selected peer config 'tunnel'
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] authentication of '100.80.138.125' with pre-shared key successful
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] IKE_SA tunnel[75] established between 87.236.194.196[87.236.194.196]...89.24.60.60[100.80.138.125]
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] scheduling rekeying in 2874s
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] maximum IKE_SA lifetime 3414s
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] unable to install IPsec policies (SPD) in kernel
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] received RADIUS Accounting-Response from server 'local'
Jun 20 18:36:46 mvvk4-1 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]
Jun 20 18:36:46 mvvk4-1 charon: 13[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (124 bytes)
Jun 20 18:36:51 mvvk4-1 charon: 10[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (252 bytes)
Jun 20 18:36:51 mvvk4-1 charon: 10[ENC] parsed CREATE_CHILD_SA request 2 [ No SA TSi TSr ]
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[IKE] unable to install IPsec policies (SPD) in kernel
Jun 20 18:36:51 mvvk4-1 charon: 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Jun 20 18:36:51 mvvk4-1 charon: 10[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (76 bytes)
Jun 20 18:36:56 mvvk4-1 charon: 06[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (268 bytes)
Jun 20 18:36:56 mvvk4-1 charon: 06[ENC] parsed CREATE_CHILD_SA request 3 [ No SA TSi TSr ]

Finally after 5 retransmits the new connection is established

8:38:14 mvvk4-1 charon: 08[IKE] giving up after 5 retransmits
Jun 20 18:38:14 mvvk4-1 charon: 08[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 20 18:38:14 mvvk4-1 charon: 08[CFG] received RADIUS Accounting-Response from server 'local'
Jun 20 18:38:17 mvvk4-1 charon: 09[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (252 bytes)
Jun 20 18:38:17 mvvk4-1 charon: 09[ENC] parsed CREATE_CHILD_SA request 19 [ No SA TSi TSr ]
Jun 20 18:38:17 mvvk4-1 charon: 09[IKE] CHILD_SA tunnel{71} established with SPIs c27e6319_i 04d17e54_o and TS 192.168.80.0/24 === 192.168.150.0/24
Jun 20 18:38:17 mvvk4-1 charon: 09[ENC] generating CREATE_CHILD_SA response 19 [ SA No TSi TSr ]
Jun 20 18:38:17 mvvk4-1 charon: 09[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (204 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 15[IKE] sending DPD request
Jun 20 18:38:47 mvvk4-1 charon: 15[ENC] generating INFORMATIONAL request 0 [ ]
Jun 20 18:38:47 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (76 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 16[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (92 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 16[ENC] parsed INFORMATIONAL response 0 [ ]

but router is still unreachable until first rekeying of this new connection.

Could somebody be so kind and help me solve this problem? Thank you in advance.

strongswan
asked on Server Fault Jun 20, 2018 by Petr W.

1 Answer

0

So, on Jessie I have completely removed Strongswan 5.2.1 package and I have installed Strongswan 5.6.3 from source with default ./configure options. The above mentioned problem is completely fixed.

answered on Server Fault Jun 21, 2018 by Petr W.

User contributions licensed under CC BY-SA 3.0