Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile ipsec client reauthentication

    IPsec
    1
    2
    524
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      laped
      last edited by

      During a IPSEC reauthenticating sometimes another virtual IP address are returned and afterwards traffic stops working. A script restarts the ipsec connectiong and it detects that the XFRM policy  doesn't match the virtual ip. So is it normal behaviour that the virtual IP can change during reauthenticating and do anyone of an idea on how to fix this?

      I have yet to get a good log from the pfsense since the log only can contain 2000 entries and with 80 devices it rotates to fast.  Make-before-break has been enabled on the pfsense but didn't change anything.

      pfsense (2.4.3) Remote IP 100.100.100.100
      mobile client (strongswan 5.6.1) Remote IP 192.168.200.10

      Apr 21 18:41:46  daemon.info charon: 08[IKE] reauthenticating IKE_SA vpnsite[1]
      Apr 21 18:41:46  authpriv.info charon: 08[IKE] reauthenticating IKE_SA vpnsite[1]
      Apr 21 18:41:46  daemon.info charon: 08[IKE] installing new virtual IP 10.75.4.16
      Apr 21 18:41:46  daemon.info charon: 08[IKE] initiating IKE_SA vpnsite[2] to 100.100.100.100
      Apr 21 18:41:46  authpriv.info charon: 08[IKE] initiating IKE_SA vpnsite[2] to 100.100.100.100
      Apr 21 18:41:46  daemon.info charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
      Apr 21 18:41:46  daemon.info charon: 08[NET] sending packet: from 192.168.200.100[4500] to 100.100.100.100[4500] (382 bytes)
      Apr 21 18:41:46  daemon.info charon: 06[NET] received packet: from 100.100.100.100[4500] to 192.168.200.100[4500] (328 bytes)
      Apr 21 18:41:46  daemon.info charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Apr 21 18:41:46  daemon.info charon: 06[IKE] local host is behind NAT, sending keep alives
      Apr 21 18:41:46  daemon.info charon: 06[IKE] authentication of '' (myself) with pre-shared key
      Apr 21 18:41:46  daemon.info charon: 06[IKE] establishing CHILD_SA vpnsite{4}
      Apr 21 18:41:46  authpriv.info charon: 06[IKE] establishing CHILD_SA vpnsite{4}
      Apr 21 18:41:46  daemon.info charon: 06[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Apr 21 18:41:46  daemon.info charon: 06[NET] sending packet: from 192.168.200.100[4500] to 100.100.100.100[4500] (338 bytes)
      Apr 21 18:41:46  daemon.info charon: 07[NET] received packet: from 100.100.100.100[4500] to 192.168.200.100[4500] (267 bytes)
      Apr 21 18:41:46  daemon.info charon: 07[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
      Apr 21 18:41:46  daemon.info charon: 07[IKE] authentication of 'vpnsitevpn-1' with pre-shared key successful
      Apr 21 18:41:46  daemon.info charon: 07[IKE] IKE_SA vpnsite[2] established between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
      Apr 21 18:41:46  authpriv.info charon: 07[IKE] IKE_SA vpnsite[2] established between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
      Apr 21 18:41:46  daemon.info charon: 07[IKE] scheduling reauthentication in 28178s
      Apr 21 18:41:46  daemon.info charon: 07[IKE] maximum IKE_SA lifetime 28778s
      Apr 21 18:41:46  daemon.info charon: 07[IKE] installing new virtual IP 10.75.4.108
      Apr 21 18:41:46  daemon.info charon: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Apr 21 18:41:46  daemon.info charon: 07[IKE] CHILD_SA vpnsite{4} established with SPIs c5bcc30e_i cdc81c8d_o and TS 10.75.4.108/32 === 10.75.0.0/16
      Apr 21 18:41:46  authpriv.info charon: 07[IKE] CHILD_SA vpnsite{4} established with SPIs c5bcc30e_i cdc81c8d_o and TS 10.75.4.108/32 === 10.75.0.0/16
      Apr 21 18:41:46  daemon.info charon: 07[IKE] received AUTH_LIFETIME of 27855s, scheduling reauthentication in 27255s
      Apr 21 18:41:46  daemon.info charon: 10[IKE] deleting IKE_SA vpnsite[1] between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
      Apr 21 18:41:46  authpriv.info charon: 10[IKE] deleting IKE_SA vpnsite[1] between 192.168.200.100[]…100.100.100.100[vpnsitevpn-1]
      Apr 21 18:41:46  daemon.info charon: 10[IKE] sending DELETE for IKE_SA vpnsite[1]
      Apr 21 18:41:46  daemon.info charon: 10[ENC] generating INFORMATIONAL request 6 [ D ]
      Apr 21 18:41:46  daemon.info charon: 10[NET] sending packet: from 192.168.200.100[4500] to 100.100.100.100[4500] (65 bytes)
      Apr 21 18:41:46  daemon.info charon: 07[IKE] peer certificate successfully verified
      Apr 21 18:41:46  daemon.info charon: 16[NET] received packet: from 100.100.100.100[4500] to 192.168.200.100[4500] (57 bytes)
      Apr 21 18:41:46  daemon.info charon: 16[ENC] parsed INFORMATIONAL response 6 [ ]

      1 Reply Last reply Reply Quote 0
      • L
        laped
        last edited by

        Looks like NAT and reauthentication is giving this issue in a certain case. The clients will start to get double virtual ip's if the NAT device expires/reboots/crashes. If I disable reauthentication on both sides it solves the issue.

        I still can't explain why this works but for me it looks like it could be a bug in strongswan. It's 100 percent reproduceable with the follow setup

        RW(client) -> Pfsense(nat) -> Pfsense(endpoint)

        Rebooting the NAT will give double virtual ip's to the RW where one of the ip given doesn't work

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.