Project

General

Profile

Issue #3558

deleting half open IKE_SA with x.x.x.x after timeout with iOS device

Added by Mohsen kh about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.6.2
Resolution:

Description

I installed an IKEv2 strongswan vpn server on ubuntu 18.04 and also I use a valid Let's encrypte CA for that. I want to use it on an application for iOS. So here is the IPSec.conf :

(Ubuntu 18.04)

config setup
    charondebug="all" 
    # keep_alive=24h
    uniqueids=never
conn %default
    auto=route
    type=tunnel
    keyexchange=ikev2
    fragmentation=no
    forceencaps=no
    mobike=yes
    ike=aes256-sha256-modp1024,aes256-sha256-modp2048, aes256-aes128-sha1-modp1024-3des!
    esp=aes256-sha256-sha1-3des!
    dpdaction=clear
    dpddelay=20s
    dpdtimeout=1800s
    rekey=no
    reauth=no
    left=%any
    #leftallowany=yes
    leftcert=cert.crt
    leftca=%same
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any4
    #rightallowany=yes
    rightid=%any
    rightsourceip=172.26.0.0/16
    rightdns=8.8.8.8,8.8.4.4
    eap_identity=%identity
    rightauth=pubkey
    keyingtries=%forever

conn ikev2-mschapv2
    rightauth=eap-mschapv2

conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=@sec.mydomain.com

and here is the IPSec.sercets content:

sec.mydomain.com : RSA key.pem
vpnusername %any% : EAP "pass" 

the problem is when I want to connect to server it stay still connecting state and after the 20 sec it is changed to disconnect and show timeout on log server. here is log server on tail -f /var/log/syslog:

Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Timers.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG network certificate management daemon.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Sockets.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Basic System.
Sep  3 07:25:25 vps-10d57688 systemd[1]: Started User Manager for UID 1000.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Default.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Startup finished in 33ms.
Sep  3 07:25:38 vps-10d57688 charon: 13[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep  3 07:25:38 vps-10d57688 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep  3 07:25:38 vps-10d57688 charon: 13[IKE] 151.243.253.166 is initiating an IKE_SA
Sep  3 07:25:38 vps-10d57688 charon: 13[IKE] remote host is behind NAT
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-99-generic, x86_64)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] PKCS11 module '<name>' lacks library path
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] disabling load-tester plugin, not configured
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] dnscert plugin is disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] ipseckey plugin is disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] attr-sql plugin: database URI not set
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded ca certificate "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" from '/etc/ipsec.d/cacerts/chain.pem'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/key.pem'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded EAP secret for vpnusername %any%
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] sql plugin: database URI not set
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] eap-simaka-sql database URI missing
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded 0 RADIUS server configurations
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] HA config misses local/remote address
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] no threshold configured for systime-fix, disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] coupling file path unspecified
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[JOB] spawning 16 worker threads
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] received stroke: add connection 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] adding virtual IP address pool 172.26.0.0/16
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG]   loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG]   id '%any' not confirmed by certificate, defaulting to 'OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] added configuration 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] received stroke: route 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] installing trap failed, remote address unknown
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] received stroke: add connection 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] reusing virtual IP address pool 172.26.0.0/16
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG]   loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] added configuration 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] received stroke: route 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] installing trap failed, remote address unknown
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] 151.243.253.166 is initiating an IKE_SA
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] remote host is behind NAT
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" 
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] sending packet: from x.x.x.x[500] to 151.243.253.166[500] (473 bytes)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[JOB] deleting half open IKE_SA with 151.243.253.166 after timeout
I used tcpdump and nc for checking 4500 port and it worked , but when I try to connect to the vpn it does not receive or send any packages:

here is the result for call with nc

ubuntu@vps-10d57688:~$ sudo tcpdump -i ens3 udp port 4500 -vv -X
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:49:46.754565 IP (tos 0x0, ttl 52, id 31208, offset 0, flags [none], proto UDP (17), length 31)
    192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] [|isakmp]
    0x0000:  4500 001f 79e8 0000 3411 f82a c040 5354  E...y...4..*.@ST
    0x0010:  4246 bee0 c855 1194 000b 9ec9 6869 0a    BF...U......hi.
15:50:00.565036 IP (tos 0x0, ttl 52, id 4681, offset 0, flags [none], proto UDP (17), length 33)
    192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] UDP-encap: [|ESP]
    0x0000:  4500 0021 1249 0000 3411 5fc8 c040 5354  E..!.I..4._..@ST
    0x0010:  4246 bee0 c855 1194 000d 1f55 7465 7374  BF...U.....Utest
    0x0020:  0a  

History

#1 Updated by Tobias Brunner about 2 months ago

  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal

Please don't cross-post. You already posted this on serverfault.com.

#2 Updated by Mohsen kh about 2 months ago

Tobias Brunner wrote:

Please don't cross-post. You already posted this on serverfault.com.

I am sorry for crossing it, I just do it because I didn't get the answer that I need, I checked a lot, XCode does not show me any error in LLDB. I don't know how to resolve it!!
I tried to send the problem here may I find a solution for.

Also available in: Atom PDF