3

I'm trying hard to resolve one question with my strongswan IKEv2 VPN. I use Linux strongSwan U5.6.1/K3.10.0-862.el7.x86_64 installed on CentOS 7 and few clients: Windows Server 2012 R2, Windows 10, Android.

The connection is being established successfully, and when I connect with RDP to hosts in a remote network, everything works properly, but after a while ping packets stop passing, RDP retrying to reconnect. Nothing works.

VPN connection looks good, no evident problems, but I should manually reconnect VPN-connection to reconnect to the remote hosts.

I can't find out where is a problem, i have been trying some different settings of ipsec.conf but the problem remains. I have been looking for similar problem, but still I haven't found anything.

Mostly people cannot connect, or to route traffic, but nobody writes, that everything is okay, but after traffic is being sent, something happens and the traffic doesn't pass anymore.

Here is a status after the connection is established, but is not working properly:

systemctl status strongswan
 strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
   Active: active (running) since Вт 2018-06-26 16:07:58 MSK; 20h ago
 Main PID: 18969 (starter)
   CGroup: /system.slice/strongswan.service
           ├─18969 /usr/libexec/strongswan/starter --daemon charon --nofork
           └─18979 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0

июн 27 12:09:02 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:09:22 ipsec charon[18979]: 09[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:09:42 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:02 ipsec charon[18979]: 14[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:22 ipsec charon[18979]: 11[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:42 ipsec charon[18979]: 06[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:02 ipsec charon[18979]: 05[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:22 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:42 ipsec charon[18979]: 11[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:12:02 ipsec charon[18979]: 06[IKE] sending keep alive to 192.168.0.1[4500]

Here is a log after the connection is established, but is not working properly:

ipsec strongswan: 06[IKE] sending DPD request
ipsec strongswan: 06[ENC] generating INFORMATIONAL request 2 [ ]
ipsec strongswan: 06[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (88 bytes)
ipsec strongswan: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (88 bytes)
ipsec strongswan: 08[ENC] parsed INFORMATIONAL response 2 [ ]
ipsec strongswan: 07[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (88 bytes)
ipsec strongswan: 07[ENC] parsed INFORMATIONAL request 4 [ D ]
ipsec strongswan: 07[IKE] received DELETE for ESP CHILD_SA with SPI 8d1ef9b8
ipsec strongswan: 07[IKE] closing CHILD_SA IPSec-IKEv2{10} with SPIs c63d643e_i (0 bytes) 8d1ef9b8_o (0 bytes) and TS 0.0.0.0/0 === 10.20.30.1/32
ipsec strongswan: 07[IKE] sending DELETE for ESP CHILD_SA with SPI c63d643e
ipsec strongswan: 07[IKE] CHILD_SA closed
ipsec strongswan: 07[ENC] generating INFORMATIONAL response 4 [ D ]
ipsec strongswan: 07[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (88 bytes)
ipsec strongswan: 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (264 bytes)
ipsec strongswan: 12[ENC] parsed CREATE_CHILD_SA request 5 [ SA No TSi TSr ]
ipsec strongswan: 12[IKE] CHILD_SA IPSec-IKEv2{11} established with SPIs cb1601b9_i 3ada8b16_o and TS 0.0.0.0/0 === 10.20.30.1/32
ipsec strongswan: 12[ENC] generating CREATE_CHILD_SA response 5 [ SA No TSi TSr ]
ipsec strongswan: 12[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (216 bytes)
    ipsec charon: 10[IKE] sending keep alive to 192.168.0.1[4500]
    ipsec charon: 07[IKE] sending keep alive to 192.168.0.1[4500]
    ipsec charon: 06[IKE] sending keep alive to 192.168.0.1[4500]
    ipsec charon: 12[IKE] sending keep alive to 192.168.0.1[4500]

Here is an ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
config setup
    charondebug="ike 1, knl 1, cfg 0"
conn %default
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.der
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.20.30.0/24
conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add
conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightauthby2=pubkey
    rightsendcert=never
    eap_identity=%any
conn CiscoIPSec
    keyexchange=ikev1
    forceencaps=yes
    authby=xauthrsasig
    xauth=server
    auto=add
Виталий Захаров
  • 31
  • 1
  • 3

0 Answers0