Issue #2648
Multiple connections with same EAP. uniqueids=never not working
Description
I have setup strongswan on Cent OS 7. Everything's working good. Android client is able to connect using EAP. I wanted to connect multiple clients using same username/password. The documentation says uniqueids=never will do this. But uniqueids=never kicks off any existing connection using the same credentials.
I tried uniqueids=yes, in that case two second client is able to connect using same credentials , but the internet of existing client goes away.
2nd Question: If i want to add EAP for other users in ipsec.secrets, is there any limit of number of users i can add in secrets file?
Please suggest what's wrong. Following is my ipsec.secrets and ipsec.conf
*******Secrets*******************- ipsec.secret s - strongSwan IPsec secrets fil
: PSK abc321
: RSA /root/strongswan/private/vpnHostKey.pem
jonny : EAP "jonny"
- Ipsec.conf ********
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=keep
conn AndroidCon
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes2$
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha38$
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=%defaultroute
leftcert=/root/strongswan/certs/vpnHostCert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
conn IPSEC-PSK
keyexchange=ikev2
leftsendcert=always
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes2$
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha38$
leftfirewall=yes
forceencaps=yes
authby=secret
auto=add
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
eap_identity=%any
leftsubnet=0.0.0.0/0
History
#1 Updated by Tobias Brunner over 7 years ago
- Category set to configuration
- Status changed from New to Feedback
I have setup strongswan on Cent OS 7. Everything's working good. Android client is able to connect using EAP. I wanted to connect multiple clients using same username/password. The documentation says uniqueids=never will do this. But uniqueids=never kicks off any existing connection using the same credentials.
I tried uniqueids=yes, in that case two second client is able to connect using same credentials , but the internet of existing client goes away.
Check the log for details on what's going on (e.g. if there actually is a uniqueness check, or if the problem is perhaps related to something else).
2nd Question: If i want to add EAP for other users in ipsec.secrets, is there any limit of number of users i can add in secrets file?
Not really, but I it might not perform well if there are lots of users (they are just stored in an unsorted linked list and searched linearly).
#2 Updated by Muhammad Ajmal over 7 years ago
I couldn't see anything in the logs that can identify this error.
Everytime i try to connect another device with same username password, the newly connected device is assigned same ip e.g, 10.10.10.1. And the connection connected at the very end has the internet access, while the devices connected before, i am not able to access any site.
I have gone through some old issues like these:
https://wiki.strongswan.org/issues/1182 , it seems like "supporting multiple connections using SAME username and password was a bug that got fixed two years back".
Now my question is, does uniqueids=never means multiple clients can connect using SAME username and password? is that correct ?
Secondly, is there any way i can support more than one client using same credentials (or psk) , on Android strongswan client ? As you said "it might not perform well if there are lots of users (they are just stored in an unsorted linked list and searched linearly)."
#3 Updated by Muhammad Ajmal over 7 years ago
Just to update , the strongswan version my epel repo got me is 5.6.1 not 5.6.2,
Can this be the issue ?
#4 Updated by Tobias Brunner over 7 years ago
- Affected version changed from 5.6.2 to 5.6.1
Everytime i try to connect another device with same username password, the newly connected device is assigned same ip e.g, 10.10.10.1. And the connection connected at the very end has the internet access, while the devices connected before, i am not able to access any site.
The in-memory pool assigns the same address to the same identity only if the lease is marked as offline (i.e. the previous connection was closed) or if the same virtual IP was explicitly requested and the client connects from the same IP/port (this is the case during make-before-break reauthentications). So in your case check if there are log messages regarding leases going offline etc.
I have gone through some old issues like these:
https://wiki.strongswan.org/issues/1182 , it seems like "supporting multiple connections using SAME username and password was a bug that got fixed two years back".
I don't think this is related.
Now my question is, does uniqueids=never means multiple clients can connect using SAME username and password? is that correct ?
Yes.
Secondly, is there any way i can support more than one client using same credentials (or psk) , on Android strongswan client ? As you said "it might not perform well if there are lots of users (they are just stored in an unsorted linked list and searched linearly)."
You could, but sharing credentials is usually not ideal. And how many users are we talking about? I guess there would have to be a lot to really be an issue. And there are other backends where you could store passwords (e.g. in a database via sql plugin).
Just to update , the strongswan version my epel repo got me is 5.6.1 not 5.6.2,
Maybe, depends on the actual reason for the issue.
#5 Updated by Muhammad Ajmal over 7 years ago
Is this "/var/log/charon.log" the right place where i need to check my logs ? because even if i cleared this file and reconnected the devices to watch the logs, this file is still so big to go through line by line.
#6 Updated by Tobias Brunner over 7 years ago
Is this "/var/log/charon.log" the right place where i need to check my logs ? because even if i cleared this file and reconnected the devices to watch the logs, this file is still so big to go through line by line.
See LoggerConfiguration and also the example in HelpRequests.
#7 Updated by Muhammad Ajmal over 7 years ago
- File charonlog.txt charonlog.txt added
Please find attached my logs from charon logs.
I cleared this file. Then connected a Android client 1. Then i tried to connect another client using same username/password,
They both started kicking off each other in trying to establish a connection. None of them could establish a stable connection as both were kicking off each other in effort to retrying.
I really appreciate your effort Tobias,
Many Thanks!!
#8 Updated by Muhammad Ajmal over 7 years ago
And from /var/log/messages , below is what i got:
May 2 09:01:01 CNSB003 systemd: Starting Session 341 of user root.
May 2 09:08:23 CNSB003 systemd-logind: Removed session 336.
May 2 09:20:19 CNSB003 systemd-logind: Removed session 340.
May 2 10:01:01 CNSB003 systemd: Started Session 342 of user root.
May 2 10:01:01 CNSB003 systemd: Starting Session 342 of user root.
May 2 10:14:42 CNSB003 systemd-logind: Removed session 338.
May 2 10:31:09 CNSB003 systemd: Started Session 343 of user root.
May 2 10:31:09 CNSB003 systemd-logind: New session 343 of user root.
May 2 10:31:09 CNSB003 systemd: Starting Session 343 of user root.
May 2 10:31:29 CNSB003 systemd-logind: Removed session 343.
#9 Updated by Muhammad Ajmal over 7 years ago
This time i tried to connect two clients on different connections i.e, one on wifi and one on 3G network. This time they got assigned different ips 10.24.24.1 & 10.24.24.2
But still they are kicking off each other. Where uniqueids=never.
If i do uniqueids=yes , both can stay connected, but only the one connected at last have internet access, for the first one's internet doesnt work, they are not able to access any site.
#10 Updated by Tobias Brunner over 7 years ago
I cleared this file. Then connected a Android client 1. Then i tried to connect another client using same username/password,
You should stop the daemon, clear the file and then start the daemon again and connect from one and then a second device. So we see everything from start to finish. Do that with uniqueids=never and perhaps also with yes but restart the daemon (and perhaps save and clear the log file) in-between.
Also, you should reduce the log level for the enc subsystem to 1, these messages are not useful here and make the log quite difficult to read.
And the log you posted above just shows the creation and deletion of two SAs. The deletion of the first apparently happens overlapping with the creation of the second, however, the deletion is initiated by the client.
And from /var/log/messages , below is what i got:
Why would these messages be relevant?
But still they are kicking off each other.
What do you mean?
If i do uniqueids=yes , both can stay connected
That seems unlikely, at least if you connect them consecutively (there could be races where the uniqueness policy can't be applied successfully).
#11 Updated by Muhammad Ajmal over 7 years ago
- File charon_logs.txt charon_logs.txt added
- File client_connecting client_connecting added
I made enc subsystem to one, Then repeated the test as following:
1. Stopped the daemon.
2. Cleared logs file.
3. Restarted daemon with uniqueids=never.
4. I connected first android client. And then tried to connect second client. But the second client kicked off first client's connection, they both tried to terminate connection of each other and connect themselves. I also have attached a picture from the phones for better idea.
P.S: This is how i switched en to 1, let me know if there's any mistake so i can send the
logs again.
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
# default = 2
enc = 1
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
enc = 1
}
}
Many Thanks Tobias!!
#12 Updated by Tobias Brunner over 7 years ago
This is your problem:
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Please refer to the description of the duplicheck plugin, in particular its behavior. Basically, you want to disable this as it does exactly the opposite of what you want (and its behavior is not related to the uniqueids setting).
#13 Updated by Muhammad Ajmal over 7 years ago
Oh Man!
But the documentation says for enabling duplicheck, we need to do this "charon.plugins.duplicheck.enable" in strongswan.conf file. While, when i checked my conf file, it looks like the plugin is already disabled:
"charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}..."
Do you still think duplicheck is somehow on and is the cause of problem ?
#14 Updated by Muhammad Ajmal over 7 years ago
Duplicheck was the problem here.
I had to turn it off like this. In strongswan.d/charon/duplicheck.conf,i had to set enable = no and load = no and the problem is resolved.
duplicheck {
enable = no
load = no
}
I couldn't be more thankful Tobias. Bundle of thanks.
Just one more question, Now that i am able to connect multiple clients using same credentials, is there any limit for max client supported on same credentials?
Thanks once again.!
#15 Updated by Tobias Brunner over 7 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
duplicheck.enable = no
That syntax is wrong, you have to define sub-sections where you have a dot and it has to be in the plugins section.
enable = no
load = no
One of these should be enough :) But since you won't need the plugin, using load = no is definitely the way to go.
Now that i am able to connect multiple clients using same credentials, is there any limit for max client supported on same credentials?
No, but you are bound by the size of the pool(s) for virtual IPs (i.e. with 10.10.10.0/24 you can have 254 clients connected concurrently).