Mobile ipsec client reauthentication

laped · Apr 24, 2018, 1:13 PM

During a IPSEC reauthenticating sometimes another virtual IP address are returned and afterwards traffic stops working. A script restarts the ipsec connectiong and it detects that the XFRM policy doesn't match the virtual ip. So is it normal behaviour that the virtual IP can change during reauthenticating and do anyone of an idea on how to fix this?

I have yet to get a good log from the pfsense since the log only can contain 2000 entries and with 80 devices it rotates to fast. Make-before-break has been enabled on the pfsense but didn't change anything.

pfsense (2.4.3) Remote IP 100.100.100.100
mobile client (strongswan 5.6.1) Remote IP 192.168.200.10

Apr 21 18:41:46 daemon.info charon: 08[IKE] reauthenticating IKE_SA vpnsite[1]
Apr 21 18:41:46 authpriv.info charon: 08[IKE] reauthenticating IKE_SA vpnsite[1]
Apr 21 18:41:46 daemon.info charon: 08[IKE] installing new virtual IP 10.75.4.16
Apr 21 18:41:46 daemon.info charon: 08[IKE] initiating IKE_SA vpnsite[2] to 100.100.100.100
Apr 21 18:41:46 authpriv.info charon: 08[IKE] initiating IKE_SA vpnsite[2] to 100.100.100.100
Apr 21 18:41:46 daemon.info charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
Apr 21 18:41:46 daemon.info charon: 08[NET] sending packet: from 192.168.200.100[4500] to 100.100.100.100[4500] (382 bytes)
Apr 21 18:41:46 daemon.info charon: 06[NET] received packet: from 100.100.100.100[4500] to 192.168.200.100[4500] (328 bytes)
Apr 21 18:41:46 daemon.info charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 21 18:41:46 daemon.info charon: 06[IKE] local host is behind NAT, sending keep alives
Apr 21 18:41:46 daemon.info charon: 06[IKE] authentication of '' (myself) with pre-shared key
Apr 21 18:41:46 daemon.info charon: 06[IKE] establishing CHILD_SA vpnsite{4}
Apr 21 18:41:46 authpriv.info charon: 06[IKE] establishing CHILD_SA vpnsite{4}
Apr 21 18:41:46 daemon.info charon: 06[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 21 18:41:46 daemon.info charon: 06[NET] sending packet: from 192.168.200.100[4500] to 100.100.100.100[4500] (338 bytes)
Apr 21 18:41:46 daemon.info charon: 07[NET] received packet: from 100.100.100.100[4500] to 192.168.200.100[4500] (267 bytes)
Apr 21 18:41:46 daemon.info charon: 07[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
Apr 21 18:41:46 daemon.info charon: 07[IKE] authentication of 'vpnsitevpn-1' with pre-shared key successful
Apr 21 18:41:46 daemon.info charon: 07[IKE] IKE_SA vpnsite[2] established between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
Apr 21 18:41:46 authpriv.info charon: 07[IKE] IKE_SA vpnsite[2] established between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
Apr 21 18:41:46 daemon.info charon: 07[IKE] scheduling reauthentication in 28178s
Apr 21 18:41:46 daemon.info charon: 07[IKE] maximum IKE_SA lifetime 28778s
Apr 21 18:41:46 daemon.info charon: 07[IKE] installing new virtual IP 10.75.4.108
Apr 21 18:41:46 daemon.info charon: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 21 18:41:46 daemon.info charon: 07[IKE] CHILD_SA vpnsite{4} established with SPIs c5bcc30e_i cdc81c8d_o and TS 10.75.4.108/32 === 10.75.0.0/16
Apr 21 18:41:46 authpriv.info charon: 07[IKE] CHILD_SA vpnsite{4} established with SPIs c5bcc30e_i cdc81c8d_o and TS 10.75.4.108/32 === 10.75.0.0/16
Apr 21 18:41:46 daemon.info charon: 07[IKE] received AUTH_LIFETIME of 27855s, scheduling reauthentication in 27255s
Apr 21 18:41:46 daemon.info charon: 10[IKE] deleting IKE_SA vpnsite[1] between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
Apr 21 18:41:46 authpriv.info charon: 10[IKE] deleting IKE_SA vpnsite[1] between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
Apr 21 18:41:46 daemon.info charon: 10[IKE] sending DELETE for IKE_SA vpnsite[1]
Apr 21 18:41:46 daemon.info charon: 10[ENC] generating INFORMATIONAL request 6 [ D ]
Apr 21 18:41:46 daemon.info charon: 10[NET] sending packet: from 192.168.200.100[4500] to 100.100.100.100[4500] (65 bytes)
Apr 21 18:41:46 daemon.info charon: 07[IKE] peer certificate successfully verified
Apr 21 18:41:46 daemon.info charon: 16[NET] received packet: from 100.100.100.100[4500] to 192.168.200.100[4500] (57 bytes)
Apr 21 18:41:46 daemon.info charon: 16[ENC] parsed INFORMATIONAL response 6 [ ]

laped · May 16, 2018, 6:33 PM

Looks like NAT and reauthentication is giving this issue in a certain case. The clients will start to get double virtual ip's if the NAT device expires/reboots/crashes. If I disable reauthentication on both sides it solves the issue.

I still can't explain why this works but for me it looks like it could be a bug in strongswan. It's 100 percent reproduceable with the follow setup

RW(client) -> Pfsense(nat) -> Pfsense(endpoint)

Rebooting the NAT will give double virtual ip's to the RW where one of the ip given doesn't work