Dashboard 0.8.3_1 IPsec strangeness
-
This is on a recent 1.2.3(RC2)snapshot.
I've disabled a tunnel and replaced it with a mobile client.
I setup one mobile client with email address type identifier.
Status IPsec shows only my two static-static tunnels up. When the mobile (shrewsoft) client connects, I see the SAD and SPD entries. The overview on the dashboard shows 5 active /1 inactive.
Two are the active tunnels, the inactive seems to be the tunnel that is disabled, the remaining three are the mobile client. Some of that is due to testing it with and without NAT-T, I still have a lingering ESP-UDP SAD from the NAT-T test. I can kill the SAD for that one and bring it down to 4/1. The odd thing is that the mobile client shows down even when it's connected.
None of this is a big deal, it's just a bit confusing. -
Does it show up this way even after you restart racoon?
The mobile tunnel detection is still pretty new, but this is the only report I have heard lately that it was displaying incorrectly.
-
I kicked it over, now I'm showing 3/1. That's the two static, the mobile, and the disabled one. So mobile is showing active but down. I guess that's right. (It's configured but not connected) I'll see what happens when the mobile client connects again.
-
The mobile tunnel will show inactive until someone connects, and then you'll have one "active" entry per connected client.
-
On my system, overview shows three active tunnels when the mobile client is not configured. Tunnel status shows the mobile client down. I deleted the disabled tunnel that was showing as inactive to simplify things.
-
Got the mobile client connected, now I show five active. That's three for the mobile- one was there and when the client connected via NAT-T it showed one for source IP and one for the destination IP with the NAT-T port. All the mobiles still show down under status.
-
There may be some weirdness with parsing your setup… not sure why.
I'd really need to see a sanitized version of the following:
Diagnostics > Command, PHP Execute
print_r($GLOBALS['config']['ipsec']);Diagnostics > Command, Execute Shell Command:
setkey -Dand
setkey -D -P -
Ok, here's what I get. Thanks for taking the time to wade through it. I should mention the setup is a CARP cluster, so the tunnels are terminated on the WAN CARP IP.
Array
(
[preferredoldsa] =>
[enable] =>
[mobilekey] => Array
(
[0] => Array
(
[ident] => remote.ip.G
[pre-shared-key] => pskey-g
)[1] => Array
(
[ident] => remote.ip.D
[pre-shared-key] => pskey-d
)[2] => Array
(
[ident] => vpnuser@myvpn.com
[pre-shared-key] => mobileuser-psk
))
[tunnel] => Array
(
[0] => Array
(
[interface] => carp1
[local-subnet] => Array
(
[network] => lan
)[remote-subnet] => lan.net.d/16
[remote-gateway] => remote.ip.D
[p1] => Array
(
[mode] => aggressive
[myident] => Array
(
[address] => my.wan.carp.ip
)[encryption-algorithm] => rijndael
[hash-algorithm] => sha1
[dhgroup] => 2
[lifetime] => 28800
[pre-shared-key] => pskey-d
[private-key] =>
[cert] =>
[peercert] =>
[authentication_method] => pre_shared_key
)[p2] => Array
(
[protocol] => esp
[encryption-algorithm-option] => Array
(
[0] => rijndael
)[hash-algorithm-option] => Array
(
[0] => hmac_sha1
)[pfsgroup] => 2
[lifetime] => 28800
)[descr] => Tunnel to D
[pinghost] => lan.net.d.1
)[1] => Array
(
[interface] => carp1
[local-subnet] => Array
(
[network] => lan
)[remote-subnet] => lan.net.g/24
[remote-gateway] => remote.ip.G
[p1] => Array
(
[mode] => aggressive
[myident] => Array
(
[address] => my.wan.carp.ip
)[encryption-algorithm] => rijndael
[hash-algorithm] => sha1
[dhgroup] => 2
[lifetime] => 28800
[pre-shared-key] => pskey-g
[private-key] =>
[cert] =>
[peercert] =>
[authentication_method] => pre_shared_key
)[p2] => Array
(
[protocol] => esp
[encryption-algorithm-option] => Array
(
[0] => rijndael
)[hash-algorithm-option] => Array
(
[0] => hmac_sha1
[1] => hmac_md5
)[pfsgroup] => 2
[lifetime] => 28800
)[descr] => Tunnel to G
[pinghost] =>
))
[preferoldsa] =>
[mobileclients] => Array
(
[enable] =>
[p1] => Array
(
[mode] => aggressive
[myident] => Array
(
[address] => my.wan.carp.ip
)[encryption-algorithm] => rijndael
[hash-algorithm] => sha1
[dhgroup] => 2
[lifetime] => 86400
[private-key] =>
[cert] =>
[authentication_method] => pre_shared_key
)[natt] =>
[p2] => Array
(
[protocol] => esp
[encryption-algorithm-option] => Array
(
[0] => 3des
[1] => rijndael
)[hash-algorithm-option] => Array
(
[0] => hmac_sha1
[1] => hmac_md5
)[pfsgroup] => 0
[lifetime] => 28800
)[dpddelay] => 120
))
setkey -D
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension typesetkey -D -P
my.lan.net/24[any] my.lan.fw.ip[any] any
in none
spid=11 seq=7 pid=58166
refcnt=1
lan.net.d/16[any] my.lan.net/24[any] any
in ipsec
esp/tunnel/remote.ip.D-my.wan.carp.ip/unique#16390
spid=14 seq=6 pid=58166
refcnt=1
lan.net.g/24[any] my.lan.net/24[any] any
in ipsec
esp/tunnel/remote.ip.G-my.wan.carp.ip/unique#16392
spid=16 seq=5 pid=58166
refcnt=1
mobile.client.private.ip[any] my.lan.net/24[any] any
in ipsec
esp/tunnel/mobileclient.public.ip-my.wan.carp.ip/require
created: Jun 26 15:32:54 2009 lastused: Jun 26 15:37:36 2009
lifetime: 28800(s) validtime: 0(s)
spid=17 seq=4 pid=58166
refcnt=1
my.lan.fw.ip[any] my.lan.net/24[any] any
out none
spid=12 seq=3 pid=58166
refcnt=1
my.lan.net/24[any] lan.net.d/16[any] any
out ipsec
esp/tunnel/my.wan.carp.ip-remote.ip.D/unique#16389
spid=13 seq=2 pid=58166
refcnt=1
my.lan.net/24[any] lan.net.g/24[any] any
out ipsec
esp/tunnel/my.wan.carp.ip-remote.ip.G/unique#16391
spid=15 seq=1 pid=58166
refcnt=1
my.lan.net/24[any] mobile.client.private.ip[any] any
out ipsec
esp/tunnel/my.wan.carp.ip-mobileclient.public.ip/require
created: Jun 26 15:32:54 2009 lastused: Jun 26 17:25:38 2009
lifetime: 28800(s) validtime: 0(s)
spid=18 seq=0 pid=58166
refcnt=1 -
setkey -D
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension typeThat worries me. That should be printing a list of all your active SAs.
Do these tunnels show up as 'up' under Status > IPsec?
Seems there may be some other ipsec-tools-related problem on your system.
What version is this running? (Or date/timestamp if it's a snapshot)
-
Just had another thought, if this box was upgraded from 1.2-RELEASE to a more modern version it may have two versions of setkey.
Try /usr/local/sbin/setkey -D
-
Ah, that would be it. It was upgraded from 1.2. Good catch:
/usr/local/sbin/setkey -D
my.wan.carp.ip[4500] mobileclient.public.ip[30883]
esp-udp mode=any spi=304123313(0x12208db1) reqid=0(0x00000000)
E: aes-cbc a68ee719 c719199a 30aef38d 7524469a
A: hmac-sha1 1bf31131 c2c3e9dc 25888fca 026d9802 ad0856f3
seq=0x0001b1c1 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:33:05 2009 current: Jun 29 09:27:55 2009
diff: 6890(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 13942840(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 111041 hard: 0 soft: 0
sadb_seq=6 pid=9564 refcnt=2
mobileclient.public.ip[30883] my.wan.carp.ip[4500]
esp-udp mode=tunnel spi=163139250(0x09b94eb2) reqid=0(0x00000000)
E: aes-cbc 05d6cf01 9fbe5b6a 358cf833 e9da3aad
A: hmac-sha1 feea0912 bd67cfea 6b734dee be610ec2 e973a04c
seq=0x00028d22 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:33:05 2009 current: Jun 29 09:27:55 2009
diff: 6890(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 226902514(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 167202 hard: 0 soft: 0
sadb_seq=5 pid=9564 refcnt=1
my.wan.carp.ip remote.ip.D
esp mode=any spi=120936904(0x073559c8) reqid=16389(0x00004005)
E: aes-cbc 6b76fbdb 4a1c6c28 9f396457 655cb910
A: hmac-sha1 81eeab0d 0694980a 07a48cc9 de001298 9f956ad4
seq=0x000013fe replay=4 flags=0x00000000 state=mature
created: Jun 29 07:57:26 2009 current: Jun 29 09:27:55 2009
diff: 5429(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:50 2009 hard: 0(s) soft: 0(s)
current: 1169424(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5118 hard: 0 soft: 0
sadb_seq=4 pid=9564 refcnt=2
remote.ip.D my.wan.carp.ip
esp mode=tunnel spi=227089053(0x0d891a9d) reqid=16390(0x00004006)
E: aes-cbc d16c5888 752d83be fb5cda1c 09137340
A: hmac-sha1 4a4edba1 99efb15b e9192b16 40f727f6 7b8142f7
seq=0x00000dc6 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:57:26 2009 current: Jun 29 09:27:55 2009
diff: 5429(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:50 2009 hard: 0(s) soft: 0(s)
current: 597881(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3526 hard: 0 soft: 0
sadb_seq=3 pid=9564 refcnt=1
remote.ip.D my.wan.carp.ip
esp mode=tunnel spi=47308714(0x02d1dfaa) reqid=16390(0x00004006)
E: aes-cbc 4d7635cb e77e5ad2 f5a864f0 aaa441e4
A: hmac-sha1 007d7961 1fb4072c 4bece018 850108ab 006c3936
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:57:25 2009 current: Jun 29 09:27:55 2009
diff: 5430(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=9564 refcnt=1
my.wan.carp.ip remote.ip.G
esp mode=any spi=145602196(0x08adb694) reqid=16391(0x00004007)
E: aes-cbc e40282bc 734c5f93 a12b51bb d8b66a96
A: hmac-sha1 6cc652f7 f8679ebb 2b9c6522 57b963d5 60b03b87
seq=0x0007a755 replay=4 flags=0x00000000 state=mature
created: Jun 29 04:43:41 2009 current: Jun 29 09:27:55 2009
diff: 17054(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 61248056(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 501589 hard: 0 soft: 0
sadb_seq=1 pid=9564 refcnt=2
remote.ip.G my.wan.carp.ip
esp mode=tunnel spi=257452519(0x0f5869e7) reqid=16392(0x00004008)
E: aes-cbc e61e358e 8999e9c1 61a588ce 26b07a72
A: hmac-sha1 fc2948b5 8c93bc95 9f879e40 6aad17b7 3de2d5a2
seq=0x000c49f2 replay=4 flags=0x00000000 state=mature
created: Jun 29 04:43:41 2009 current: Jun 29 09:27:55 2009
diff: 17054(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 1084481374(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 805362 hard: 0 soft: 0
sadb_seq=0 pid=9564 refcnt=1
