[SOLVED] ipsec strongswan connection disconnects

KatrinAlec · 02-06-2017, 05:48 AM

My StrongSwan ipsec tunnel disconnects and doesn't reconnect.
I can't find out why it doesn't hold the connection forever or at least tries to reconnect.

If I restart ipsec it connects, but after some hours it's down again.
According to ipsec status it doesn't even try to connect.

I thought
auto=start would make it connect and
dpdaction=restart would make it reconnect.

If I start the connection with "ipsec add" it works immediately.

Code:

root@TDTErsatz:/home/katrin# ipsec status
Security Associations (0 up, 0 connecting):
  none

here is ipsec statusall

Code:

root@TDTErsatz:/home/katrin# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-686-pae, i686):
  uptime: 5 days, since Feb 01 12:17:23 2017
  malloc: sbrk 729088, mmap 0, used 157968, free 571120
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  192.168.1.11
  192.168.4.1
Connections:
      katrin:  192.168.1.11...x.x.x.x  IKEv1, dpddelay=10s
      katrin:   local:  [Debian] uses pre-shared key authentication
      katrin:   remote: [TDT] uses pre-shared key authentication
      katrin:   child:  192.168.0.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
     katrin2:  192.168.1.11...x.x.x.x  IKEv1, dpddelay=10s
     katrin2:   local:  [Debian2] uses pre-shared key authentication
     katrin2:   remote: [TDT2] uses pre-shared key authentication
     katrin2:   child:  192.168.10.0/24 === 192.168.12.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none

and here ipsec.conf

Code:

root@TDTErsatz:/home/katrin# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

conn %default
        ikelifetime=8h
        lifetime=1h
        keyexchange=ikev1
        authby=secret
        rekey=yes
        reauth=yes
        dpddelay=10s
        dpdtimeout=100s
        dpdaction=restart
        keyingtries=0

conn katrin
        left=192.168.1.11
        leftid=@Debian
        right=x.x.x.x
        rightid=@TDT
        leftsubnet=192.168.0.1/24
        rightsubnet=192.168.2.1/24
        leftfirewall=yes
        lefthostaccess=yes
        auto=start
        ike=aes128-md5-modp1024
        esp=aes128-md5-modp1024
        closeaction=restart

conn katrin2
        left=192.168.1.11
        leftid=@Debian2
        right=x.x.x.x
        rightid=@TDT2
        leftsubnet=192.168.10.1/24
        rightsubnet=192.168.12.1/24
        leftfirewall=yes
        lefthostaccess=yes
        auto=start
        ike=aes128-md5-modp1024
        esp=aes128-md5-modp1024
        closeaction=restart

include /var/lib/strongswan/ipsec.conf.inc

sundialsvcs · 02-06-2017, 08:15 AM

The operative question is: "What is in the log files?" (Look in /var/log someplace ...)

KatrinAlec · 02-08-2017, 08:26 AM

you mean in /var/log/messages or syslog?

I'll have to have a look next time the tunnel disconnects.

I don't think there was anything helpful though.

sundialsvcs · 02-08-2017, 09:36 AM

There ought to be something in there now – or, if you're using logrotate, in one of the recent compressed log-files.

grep -i swan might be your best friend to look for the presence of messages that might be relevant. If any daemon "dropped a connection," it should have said something somewhere.

I don't know if Swan keeps its own log-files somewhere else (undoubtedly in /var/log), but its configuration file should point out the proper location.

KatrinAlec · 02-10-2017, 08:08 AM

Right now the tunnels are still up.
Have been now for two days at least.
I'll check on Monday if they're still up.

KatrinAlec · 02-13-2017, 02:25 AM

Today the tunnels are down again.

Code:

/home/katrin# ipsec status
Security Associations (0 up, 0 connecting):
  none

Since they were still up on the 10th here are the logs since then:
/var/log/messages:

Code:

Feb 10 06:25:04 TDTErsatz rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="497" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Feb 10 06:25:06 TDTErsatz rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]
Feb 10 06:25:06 TDTErsatz rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]
Feb 10 06:33:56 TDTErsatz rsyslogd-2007: action 'action 17' suspended, next retry is Fri Feb 10 06:34:26 2017 [try http://www.rsyslog.com/e/2007 ]
Feb 11 01:53:57 TDTErsatz vpn: - TDT2 192.168.12.0/24 == 80.xxx.xxx.xxx -- 192.168.1.11 == 192.168.10.0/24
Feb 11 06:25:04 TDTErsatz rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="497" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Feb 11 06:25:57 TDTErsatz rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]
Feb 11 06:25:57 TDTErsatz rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]
Feb 11 06:45:20 TDTErsatz rsyslogd-2007: action 'action 17' suspended, next retry is Sat Feb 11 06:45:50 2017 [try http://www.rsyslog.com/e/2007 ]
Feb 11 17:35:08 TDTErsatz vpn: - TDT 192.168.2.0/24 == 80.xxx.xxx.xxx -- 192.168.1.11 == 192.168.0.0/24
Feb 12 06:25:05 TDTErsatz rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="497" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Feb 12 06:47:01 TDTErsatz rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]
Feb 12 06:47:01 TDTErsatz rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]
Feb 13 06:25:04 TDTErsatz rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="497" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Feb 13 06:25:05 TDTErsatz rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="497" x-info="http://www.rsyslog.com"] rsyslogd was HUPed

/var/log/syslog:
From this I assume the problem occurs at 17:35 on the 11th.

Code:

Feb 11 17:35:02 TDTErsatz charon: 11[NET] sending packet: from 192.168.1.11[4500] to 80.xxx.xxx.xxx[4500] (92 bytes)
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] closing CHILD_SA katrin{12} with SPIs ccad02e1_i (32745 bytes) fe72fc0d_o (26400 bytes) and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI ccad02e1
Feb 11 17:35:08 TDTErsatz charon: 08[ENC] generating INFORMATIONAL_V1 request 2657066049 [ HASH D ]
Feb 11 17:35:08 TDTErsatz charon: 08[NET] sending packet: from 192.168.1.11[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] closing CHILD_SA katrin{12} with SPIs c3f78c09_i (8545 bytes) fe73085f_o (6880 bytes) and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 17:35:08 TDTErsatz vpn: - TDT 192.168.2.0/24 == 80.xxx.xxx.xxx -- 192.168.1.11 == 192.168.0.0/24
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c3f78c09
Feb 11 17:35:08 TDTErsatz charon: 08[ENC] generating INFORMATIONAL_V1 request 2792505554 [ HASH D ]
Feb 11 17:35:08 TDTErsatz charon: 08[NET] sending packet: from 192.168.1.11[4500] to 80.xxx.xxx.xxx[4500] (76 bytes)
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] deleting IKE_SA katrin[56] between 192.168.1.11[Debian]...80.xxx.xxx.xxx[TDT]
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] sending DELETE for IKE_SA katrin[56]
Feb 11 17:35:08 TDTErsatz charon: 08[ENC] generating INFORMATIONAL_V1 request 573093845 [ HASH D ]
Feb 11 17:35:08 TDTErsatz charon: 08[NET] sending packet: from 192.168.1.11[4500] to 80.xxx.xxx.xxx[4500] (92 bytes)
Feb 11 18:17:01 TDTErsatz CRON[5435]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Feb 11 19:17:01 TDTErsatz CRON[5779]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Feb 11 20:17:01 TDTErsatz CRON[6144]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Feb 11 21:17:01 TDTErsatz CRON[6506]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Feb 11 22:17:01 TDTErsatz CRON[6850]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Feb 11 23:17:01 TDTErsatz CRON[7168]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

Nothing new after this

/var/log/auth:

Code:

Feb 11 16:09:27 TDTErsatz charon: 11[IKE] closing CHILD_SA katrin{12} with SPIs c80b54cc_i (29433 bytes) fe72cd55_o (23724 bytes) and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 16:17:01 TDTErsatz CRON[4732]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 11 16:17:01 TDTErsatz CRON[4732]: pam_unix(cron:session): session closed for user root
Feb 11 16:36:23 TDTErsatz charon: 15[IKE] CHILD_SA katrin{12} established with SPIs ccad02e1_i fe72fc0d_o and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 16:51:38 TDTErsatz charon: 04[IKE] closing CHILD_SA katrin{12} with SPIs c03ab66b_i (30709 bytes) fe72e3e4_o (24736 bytes) and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 17:17:01 TDTErsatz CRON[5076]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 11 17:17:01 TDTErsatz CRON[5076]: pam_unix(cron:session): session closed for user root
Feb 11 17:22:51 TDTErsatz charon: 07[IKE] CHILD_SA katrin{12} established with SPIs c3f78c09_i fe73085f_o and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] closing CHILD_SA katrin{12} with SPIs ccad02e1_i (32745 bytes) fe72fc0d_o (26400 bytes) and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] closing CHILD_SA katrin{12} with SPIs c3f78c09_i (8545 bytes) fe73085f_o (6880 bytes) and TS 192.168.0.0/24 === 192.168.2.0/24
Feb 11 17:35:08 TDTErsatz charon: 08[IKE] deleting IKE_SA katrin[56] between 192.168.1.11[Debian]...80.xxx.xxx.xxx[TDT]
Feb 11 18:17:01 TDTErsatz CRON[5434]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 11 18:17:01 TDTErsatz CRON[5434]: pam_unix(cron:session): session closed for user root
Feb 11 19:17:01 TDTErsatz CRON[5778]: pam_unix(cron:session): session opened for user root by (uid=0)

17:35 - deleting IKE_SA - but why?

Anything else I could look up?

KatrinAlec · 02-17-2017, 06:22 AM

I might have found the problem.
ipsec wasn't started in that runlevel.
I didn't think it would be a problem if I started it manually, but now that I've added it to the runlevel it hasn't disconnected (or at least it reconnected automatically).

Maybe that wasn't the solution and it just happens to stay connected for now... but if it keeps working I'm gonna assume that was it.

danmut · 10-18-2022, 05:16 AM

Quote:

Originally Posted by KatrinAlec

I might have found the problem.
ipsec wasn't started in that runlevel.
I didn't think it would be a problem if I started it manually, but now that I've added it to the runlevel it hasn't disconnected (or at least it reconnected automatically).

Maybe that wasn't the solution and it just happens to stay connected for now... but if it keeps working I'm gonna assume that was it.

Hi!

I'm struggling with the same issue.

Did it work in the long run?
If so, could you be so kind to enlighten us with your setup?

KatrinAlec · 10-18-2022, 05:23 AM

It is still working.
It's been 10 years, so I don't quite remember it, but I haven't had that kind of problem since.
Maybe you need to open your own thread, so that you can post your settings.

danmut · 10-19-2022, 03:47 AM

Yep, sounds like a good idea

Thanks!