Project

General

Profile

Issue #3607

statusall option reports transport established two or three times per IP at start-up

Added by Gilles VINCENT about 1 month ago. Updated 28 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.7.1
Resolution:

Description

There is a strange issue at the start-up of ipsec.

I have set 4 links and when I poll statusall command every 500ms I can see multiple times ESTABLISHED (and up connections) for a few seconds as you can see below:

Security Associations (12 up, 12 connecting):
10.10.1.70-tunnel-P2P[31]: CONNECTING, 10.10.1.54[%any]...10.10.1.70[%any]
10.10.1.70-tunnel-P2P[31]: IKEv2 SPIs: 293b220b276a21a1_i* 0000000000000000_r
10.10.1.70-tunnel-P2P[31]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.70-transport[30]: CONNECTING, 10.10.1.54[%any]...10.10.1.70[%any]
10.10.1.70-transport[30]: IKEv1 SPIs: 21a2a014a8bd594e_i* 0000000000000000_r
10.10.1.70-transport[30]: Tasks queued: QUICK_MODE QUICK_MODE
10.10.1.70-transport[30]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
10.10.1.69-tunnel-P2P[29]: CONNECTING, 10.10.1.54[%any]...10.10.1.69[%any]
10.10.1.69-tunnel-P2P[29]: IKEv2 SPIs: 8245e42ebfa2cfda_i* 0000000000000000_r
10.10.1.69-tunnel-P2P[29]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.69-transport[28]: CONNECTING, 10.10.1.54[%any]...10.10.1.69[%any]
10.10.1.69-transport[28]: IKEv1 SPIs: eff83a5e0a60dbb0_i* 0000000000000000_r
10.10.1.69-transport[28]: Tasks queued: QUICK_MODE QUICK_MODE
10.10.1.69-transport[28]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
10.10.1.67-tunnel-P2P[27]: CONNECTING, 10.10.1.54[%any]...10.10.1.67[%any]
10.10.1.67-tunnel-P2P[27]: IKEv2 SPIs: e1fe931334117ca7_i* 0000000000000000_r
10.10.1.67-tunnel-P2P[27]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.67-transport[26]: CONNECTING, 10.10.1.54[%any]...10.10.1.67[%any]
10.10.1.67-transport[26]: IKEv1 SPIs: 65eb1242173299d4_i* 0000000000000000_r
10.10.1.67-transport[26]: Tasks queued: QUICK_MODE QUICK_MODE
10.10.1.67-transport[26]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
10.10.1.66-tunnel-P2P[25]: CONNECTING, 10.10.1.54[%any]...10.10.1.66[%any]
10.10.1.66-tunnel-P2P[25]: IKEv2 SPIs: eb4369282863dc52_i* 0000000000000000_r
10.10.1.66-tunnel-P2P[25]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.66-transport[24]: CONNECTING, 10.10.1.54[%any]...10.10.1.66[%any]
10.10.1.66-transport[24]: IKEv1 SPIs: 494bbb88ebe7fe13_i* 0000000000000000_r
10.10.1.66-transport[24]: Tasks queued: QUICK_MODE QUICK_MODE
10.10.1.66-transport[24]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
10.10.1.65-tunnel-P2P[23]: CONNECTING, 10.10.1.54[%any]...10.10.1.65[%any]
10.10.1.65-tunnel-P2P[23]: IKEv2 SPIs: 34b36a268c0cff33_i* 0000000000000000_r
10.10.1.65-tunnel-P2P[23]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.65-transport[22]: ESTABLISHED 5 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.65[10.10.1.65]
10.10.1.65-transport[22]: IKEv1 SPIs: 3b526adb391b36e0_i 09cacf4431999597_r*, pre-shared key reauthentication in 47 hours
10.10.1.65-transport[22]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.64-transport[21]: ESTABLISHED 5 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.64[10.10.1.64]
10.10.1.64-transport[21]: IKEv1 SPIs: 6331e87fb77b4ed9_i c3971d732b477be0_r*, pre-shared key reauthentication in 47 hours
10.10.1.64-transport[21]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.64-transport{9}: REKEYED, TRANSPORT, reqid 5, expires in 23 hours
10.10.1.64-transport{9}: 10.10.1.54/32 === 10.10.1.64/32
10.10.1.64-transport{10}: REKEYED, TRANSPORT, reqid 5, expires in 23 hours
10.10.1.64-transport{10}: 10.10.1.54/32 === 10.10.1.64/32
10.10.1.64-tunnel{11}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c37b3553_i d718c7f8_o
10.10.1.64-tunnel{11}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
10.10.1.64-tunnel{11}: 192.168.0.0/16 === 10.10.1.64/32
10.10.1.64-transport{14}: INSTALLED, TRANSPORT, reqid 5, ESP SPIs: c72a427d_i 2e000920_o
10.10.1.64-transport{14}: AES_CBC_128/HMAC_SHA2_256_128, 160 bytes_i (4 pkts, 0s ago), 160 bytes_o (4 pkts, 0s ago), rekeying in 23 hours
10.10.1.64-transport{14}: 10.10.1.54/32 === 10.10.1.64/32
10.10.1.65-transport[20]: ESTABLISHED 5 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.65[10.10.1.65]
10.10.1.65-transport[20]: IKEv1 SPIs: b1a48f6b5e376644_i e6cbd72f88cf8d33_r*, pre-shared key reauthentication in 47 hours
10.10.1.65-transport[20]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.65-transport{12}: REKEYED, TRANSPORT, reqid 7, expires in 23 hours
10.10.1.65-transport{12}: 10.10.1.54/32 === 10.10.1.65/32
10.10.1.65-tunnel{13}: INSTALLED, TUNNEL, reqid 8, ESP SPIs: c8e26eb1_i f17722a6_o
10.10.1.65-tunnel{13}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
10.10.1.65-tunnel{13}: 192.168.0.0/16 === 10.10.1.65/32
10.10.1.65-transport{15}: REKEYED, TRANSPORT, reqid 7, expires in 23 hours
10.10.1.65-transport{15}: 10.10.1.54/32 === 10.10.1.65/32
10.10.1.65-transport{16}: INSTALLED, TRANSPORT, reqid 7, ESP SPIs: c398e9df_i 318dfa4c_o
10.10.1.65-transport{16}: AES_CBC_128/HMAC_SHA2_256_128, 40 bytes_i (1 pkt, 0s ago), 40 bytes_o (1 pkt, 0s ago), rekeying in 23 hours
10.10.1.65-transport{16}: 10.10.1.54/32 === 10.10.1.65/32
10.10.1.65-transport[19]: ESTABLISHED 5 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.65[10.10.1.65]
10.10.1.65-transport[19]: IKEv1 SPIs: 45bb7dcdf692987e_i* 9f17021886285a05_r, pre-shared key reauthentication in 47 hours
10.10.1.65-transport[19]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.64-tunnel-P2P[18]: CONNECTING, 10.10.1.54[%any]...10.10.1.64[%any]
10.10.1.64-tunnel-P2P[18]: IKEv2 SPIs: 0b3eb862f6b85f26_i* 0000000000000000_r
10.10.1.64-tunnel-P2P[18]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.64-transport[16]: ESTABLISHED 7 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.64[10.10.1.64]
10.10.1.64-transport[16]: IKEv1 SPIs: 7b24f4db650f98fb_i* a0d9b73646a777e2_r, pre-shared key reauthentication in 47 hours
10.10.1.64-transport[16]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.63-transport[15]: ESTABLISHED 7 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.63[10.10.1.63]
10.10.1.63-transport[15]: IKEv1 SPIs: 812a9a5aa09ef5d2_i cb7179fae37eba90_r*, pre-shared key reauthentication in 47 hours
10.10.1.63-transport[15]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.63-transport{4}: REKEYED, TRANSPORT, reqid 3, expires in 23 hours
10.10.1.63-transport{4}: 10.10.1.54/32 === 10.10.1.63/32
10.10.1.63-tunnel{5}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: c27eb69f_i a459e900_o
10.10.1.63-tunnel{5}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
10.10.1.63-tunnel{5}: 192.168.0.0/16 === 10.10.1.63/32
10.10.1.63-transport{7}: REKEYED, TRANSPORT, reqid 3, expires in 23 hours
10.10.1.63-transport{7}: 10.10.1.54/32 === 10.10.1.63/32
10.10.1.63-transport{8}: INSTALLED, TRANSPORT, reqid 3, ESP SPIs: c0ef2afa_i cef497f4_o
10.10.1.63-transport{8}: AES_CBC_128/HMAC_SHA2_256_128, 240 bytes_i (6 pkts, 0s ago), 240 bytes_o (6 pkts, 0s ago), rekeying in 23 hours
10.10.1.63-transport{8}: 10.10.1.54/32 === 10.10.1.63/32
10.10.1.64-transport[14]: ESTABLISHED 7 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.64[10.10.1.64]
10.10.1.64-transport[14]: IKEv1 SPIs: 012e0f055f2ada00_i 5ab58251dcd65166_r*, pre-shared key reauthentication in 47 hours
10.10.1.64-transport[14]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.63-tunnel-P2P[8]: CONNECTING, 10.10.1.54[%any]...10.10.1.63[%any]
10.10.1.63-tunnel-P2P[8]: IKEv2 SPIs: 1024924745772161_i* 0000000000000000_r
10.10.1.63-tunnel-P2P[8]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.63-transport[11]: ESTABLISHED 8 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.63[10.10.1.63]
10.10.1.63-transport[11]: IKEv1 SPIs: 504e54edb875dc8c_i c2f7a0ea0f59fdca_r*, pre-shared key reauthentication in 47 hours
10.10.1.63-transport[11]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.62-transport[9]: ESTABLISHED 8 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.62[10.10.1.62]
10.10.1.62-transport[9]: IKEv1 SPIs: 8ae25d08f3cdcd24_i fee04f4c642dc827_r*, pre-shared key reauthentication in 47 hours
10.10.1.62-transport[9]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.62-transport{1}: REKEYED, TRANSPORT, reqid 1, expires in 23 hours
10.10.1.62-transport{1}: 10.10.1.54/32 === 10.10.1.62/32
10.10.1.62-tunnel{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c783086f_i ffb58fd0_o
10.10.1.62-tunnel{2}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
10.10.1.62-tunnel{2}: 192.168.0.0/16 === 10.10.1.62/32
10.10.1.62-transport{3}: REKEYED, TRANSPORT, reqid 1, expires in 23 hours
10.10.1.62-transport{3}: 10.10.1.54/32 === 10.10.1.62/32
10.10.1.62-transport{6}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c7f44b01_i 099cbd3a_o
10.10.1.62-transport{6}: AES_CBC_128/HMAC_SHA2_256_128, 240 bytes_i (6 pkts, 0s ago), 240 bytes_o (6 pkts, 0s ago), rekeying in 23 hours
10.10.1.62-transport{6}: 10.10.1.54/32 === 10.10.1.62/32
10.10.1.63-transport[7]: ESTABLISHED 9 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.63[10.10.1.63]
10.10.1.63-transport[7]: IKEv1 SPIs: 72ac7618e057e9b8_i* c17251fb3290b31e_r, pre-shared key reauthentication in 47 hours
10.10.1.63-transport[7]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.62-tunnel-P2P[6]: CONNECTING, 10.10.1.54[%any]...10.10.1.62[%any]
10.10.1.62-tunnel-P2P[6]: IKEv2 SPIs: 011df2a766a49b16_i* 0000000000000000_r
10.10.1.62-tunnel-P2P[6]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
10.10.1.62-transport[2]: ESTABLISHED 10 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.62[10.10.1.62]
10.10.1.62-transport[2]: IKEv1 SPIs: 59eaaa9c9afe9dbb_i dfa17ad58e80b119_r*, pre-shared key reauthentication in 47 hours
10.10.1.62-transport[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10.10.1.62-transport[1]: ESTABLISHED 11 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.62[10.10.1.62]
10.10.1.62-transport[1]: IKEv1 SPIs: 969659147821886c_i* a5cc0876f7c7d125_r, pre-shared key reauthentication in 47 hours
10.10.1.62-transport[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

For instance for my 10.10.1.65 transport link as you can see there are 3 opened connections:
10.10.1.65-transport[19]: ESTABLISHED 5 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.65[10.10.1.65]
10.10.1.65-transport[19]: IKEv1 SPIs: 45bb7dcdf692987e_i* 9f17021886285a05_r, pre-shared key reauthentication in 47 hours
10.10.1.65-transport[19]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

10.10.1.65-transport[22]: ESTABLISHED 5 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.65[10.10.1.65]
10.10.1.65-transport[22]: IKEv1 SPIs: 3b526adb391b36e0_i 09cacf4431999597_r*, pre-shared key reauthentication in 47 hours
10.10.1.65-transport[22]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

10.10.1.65-transport[20]: ESTABLISHED 5 seconds ago, 10.10.1.54[10.10.1.54]...10.10.1.65[10.10.1.65]
10.10.1.65-transport[20]: IKEv1 SPIs: b1a48f6b5e376644_i e6cbd72f88cf8d33_r*, pre-shared key reauthentication in 47 hours
10.10.1.65-transport[20]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

After about 10-15 seconds the number of up connections is stabilized to 4 (one for each of my transport link):
Security Associations (4 up, 12 connecting):

Is there a way to avoid opening these links multiple times at the service start-up that I may have missed somewhere?

Thank you.

Best Regards.

charon_debug.log (223 KB) charon_debug.log Gilles VINCENT, 27.10.2020 13:59

History

#1 Updated by Tobias Brunner about 1 month ago

  • Status changed from New to Feedback

Is there a way to avoid opening these links multiple times at the service start-up that I may have missed somewhere?

Maybe. You didn't write what you are actually doing or have configured. But since you are polling statusall every 500ms (which doesn't sound like a good idea) it's possible you are doing something wrong.

#2 Updated by Gilles VINCENT about 1 month ago

Hello Tobias,

Thank you for your quick answer.

Here is my environment:

each transport link is between a PC (Windows) and an embedded device.

My ipsec.conf is the following on embedded device side:

config setup
    charondebug="ike 1" 

conn %default
    ikelifetime=2879m
    lifetime=24h
    authby=secret
    ike=aes128-sha256-modp2048!
    esp=aes128-sha256!
    keyexchange=ikev1

conn 10.10.1.62-passthroughHTTPS
    type=passthrough
    left=127.0.0.1
    leftsubnet=10.10.1.54/32[tcp/443]
    rightsubnet=10.10.1.62/32
    auto=route

conn 10.10.1.62-transport
    type=transport
    left=10.10.1.54
    right=10.10.1.62
    auto=start

conn 10.10.1.62-tunnel
    type=tunnel
    left=10.10.1.54
    leftsubnet=192.168.11.4/16
    right=10.10.1.62
    rightsubnet=10.10.1.62/32
    auto=start

<Same rules for all other IPs>

If you need anything else please let me know. Thank you.
Best Regards,

#3 Updated by Tobias Brunner 29 days ago

The logs would probably be helpful to see what's actually going on during startup (see HelpRequests for settings).

#4 Updated by Gilles VINCENT 28 days ago

Hello Tobias,
You can find the associated charon_debug.log in the attachment. Thanks
BR,
Gilles

#5 Updated by Tobias Brunner 28 days ago

Why is there a 10.10.1.62-transport connection and a 10.10.1.62-tunnel-P2P connection (and other similar connections) which seem to be the same thing (except one is IKEv1 and transport mode and the other IKEv2 and maybe tunnel mode?). Note that none of the P2P connections actually get established, they just result in retransmits of the IKE_SA_INIT message (the peer probably doesn't expect IKEv2 requests) until they eventually get destroyed. These are the additional SAs you see in the status output.

Also, there seem to be drop policies (deduced from the name) with actual remote addresses, which you probably want to change to 127.0.0.1 like you did for the passthrough policies.

Note that there is also some weird stuff the IKEv1 peer does. A Quick Mode exchange to create an IPsec SA consists of three messages (see RFC 2409, section 5.5). For example, look at this exchange:

Tue, 2020-10-27, 09:19:29 14[ENC] <10.10.1.62-transport|1> generating QUICK_MODE request 3696655743 [ HASH SA No ID ID ]
...
Tue, 2020-10-27, 09:19:29 07[ENC] <10.10.1.62-transport|1> parsed QUICK_MODE response 3696655743 [ HASH SA No ID ID ]
...
Tue, 2020-10-27, 09:19:29 07[IKE] <10.10.1.62-transport|1> CHILD_SA 10.10.1.62-transport{1} established with SPIs cd572a60_i e4809892_o and TS 10.10.1.54/32 === 10.10.1.62/32
...
Tue, 2020-10-27, 09:19:29 07[ENC] <10.10.1.62-transport|1> generating QUICK_MODE request 3696655743 [ HASH ]

Note the message ID 3696655743 for all of these messages. For whatever reason, the peer now sends a Quick Mode request with that same message ID that includes an INITIAL_CONTACT notify:

Tue, 2020-10-27, 09:19:29 10[ENC] <10.10.1.62-transport|1> parsed QUICK_MODE request 3696655743 [ HASH N(INIT_CONTACT) ]

Since a Quick Mode request without SA payload is invalid, this causes strongSwan to return an error notify:

Tue, 2020-10-27, 09:19:29 10[IKE] <10.10.1.62-transport|1> sa payload missing
Tue, 2020-10-27, 09:19:29 10[IKE] <10.10.1.62-transport|1> queueing INFORMATIONAL task
...
Tue, 2020-10-27, 09:19:29 05[ENC] <10.10.1.62-transport|1> generating INFORMATIONAL_V1 request 2728570382 [ HASH N(CRIT) ]

The error is actually INVALID_PAYLOAD_TYPE but the log shows the IKEv2 string for that identifier (UNSUPPORTED_CRITICAL_PAYLOAD). Anyway, sending an INITIAL_CONTACT notify like that in a Quick Mode request seems quite strange (using an INFORMATIONAL request would be more appropriate, but those are unidirectional in IKEv1 and not confirmed by the peer, so maybe that's why Quick Mode is used, but that will obviously not work if the peer does not expect that). The reused message ID is weird too and so is sending such a notify for each Quick Mode exchange (it does not really concern individual IPsec SAs but the IKE SA as a whole). What implementation is on the other end?

#6 Updated by Gilles VINCENT 28 days ago

Hello,
My configuration on Windows side is the following:

set deviceIpAddress=10.10.1.54

set workstationIpAddress=10.10.1.65
set workstationIpAddress2=10.10.1.64
set workstationIpAddress3=10.10.1.63
set workstationIpAddress4=10.10.1.62

set YourPsk=D4350840CE2BB21716FBD7E694FCF026
set YourPsk2=635D65D0C39F56C4CFA75EDABEF4CECF
set YourPsk3=09D4E2F2D596C338EEDB6FBFEE575195
set YourPsk4=84651B330EB97F3987C6BD1EBE9195E8

set DeviceOtherIp=192.168.11.2
set DeviceOtherNetmask=255.255.0.0
set opcuaPort=4840

set globalNetMask=255.255.255.255

set encryptionMode=esp:sha256-aes128+1440min

netsh advfirewall set global mainmode mmkeylifetime 2879min,0sess
netsh advfirewall set global mainmode mmsecmethods dhgroup14:aes128-sha256,dhgroup2:aes128-sha256

REM Add the tunnel rules
netsh advfirewall consec add rule name="IPSECtransport" endpoint1=%workstationIpAddress% endpoint2=%kookaIpAddress% action=requireinrequireout description="IPSECtransport" mode=transport enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk% qmpfs=none qmsecmethods=!encryptionMode!
netsh advfirewall consec add rule name="IPSECpassthroughOPCUA" endpoint1=%workstationIpAddress% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughOPCUA" mode=transport enable=yes type=static protocol=tcp port2=%opcuaPort%
netsh advfirewall consec add rule name="IPSECpassthroughHTTPS" endpoint1=%workstationIpAddress% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughHTTPS" mode=transport enable=yes type=static protocol=tcp port2=443
netsh advfirewall consec add rule name="IPSECtunnel" endpoint1=%workstationIpAddress%/%globalNetMask% endpoint2=%DeviceOtherIp%/%DeviceOtherNetmask% localtunnelendpoint=%workstationIpAddress% remotetunnelendpoint=%kookaIpAddress% action=requireinrequireout description="IPSECtunnel" mode=tunnel enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk% qmpfs=none qmsecmethods=!encryptionMode!
echo IPSec configuration successfully set!

netsh advfirewall consec add rule name="IPSECtransport" endpoint1=%workstationIpAddress2% endpoint2=%kookaIpAddress% action=requireinrequireout description="IPSECtransport" mode=transport enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk2% qmpfs=none qmsecmethods=!encryptionMode!
netsh advfirewall consec add rule name="IPSECpassthroughOPCUA" endpoint1=%workstationIpAddress2% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughOPCUA" mode=transport enable=yes type=static protocol=tcp port2=%opcuaPort%
netsh advfirewall consec add rule name="IPSECpassthroughHTTPS" endpoint1=%workstationIpAddress2% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughHTTPS" mode=transport enable=yes type=static protocol=tcp port2=443
netsh advfirewall consec add rule name="IPSECtunnel" endpoint1=%workstationIpAddress2%/%globalNetMask% endpoint2=%DeviceOtherIp%/%DeviceOtherNetmask% localtunnelendpoint=%workstationIpAddress2% remotetunnelendpoint=%kookaIpAddress% action=requireinrequireout description="IPSECtunnel" mode=tunnel enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk2% qmpfs=none qmsecmethods=!encryptionMode!
echo IPSec configuration successfully set!

netsh advfirewall consec add rule name="IPSECtransport" endpoint1=%workstationIpAddress3% endpoint2=%kookaIpAddress% action=requireinrequireout description="IPSECtransport" mode=transport enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk3% qmpfs=none qmsecmethods=!encryptionMode!
netsh advfirewall consec add rule name="IPSECpassthroughOPCUA" endpoint1=%workstationIpAddress3% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughOPCUA" mode=transport enable=yes type=static protocol=tcp port2=%opcuaPort%
netsh advfirewall consec add rule name="IPSECpassthroughHTTPS" endpoint1=%workstationIpAddress3% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughHTTPS" mode=transport enable=yes type=static protocol=tcp port2=443
netsh advfirewall consec add rule name="IPSECtunnel" endpoint1=%workstationIpAddress3%/%globalNetMask% endpoint2=%DeviceOtherIp%/%DeviceOtherNetmask% localtunnelendpoint=%workstationIpAddress3% remotetunnelendpoint=%kookaIpAddress% action=requireinrequireout description="IPSECtunnel" mode=tunnel enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk3% qmpfs=none qmsecmethods=!encryptionMode!
echo IPSec configuration successfully set!

netsh advfirewall consec add rule name="IPSECtransport" endpoint1=%workstationIpAddress4% endpoint2=%kookaIpAddress% action=requireinrequireout description="IPSECtransport" mode=transport enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk4% qmpfs=none qmsecmethods=!encryptionMode!
netsh advfirewall consec add rule name="IPSECpassthroughOPCUA" endpoint1=%workstationIpAddress4% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughOPCUA" mode=transport enable=yes type=static protocol=tcp port2=%opcuaPort%
netsh advfirewall consec add rule name="IPSECpassthroughHTTPS" endpoint1=%workstationIpAddress4% endpoint2=%kookaIpAddress% action=noauthentication description="IPSECpassthroughHTTPS" mode=transport enable=yes type=static protocol=tcp port2=443
netsh advfirewall consec add rule name="IPSECtunnel" endpoint1=%workstationIpAddress4%/%globalNetMask% endpoint2=%DeviceOtherIp%/%DeviceOtherNetmask% localtunnelendpoint=%workstationIpAddress4% remotetunnelendpoint=%kookaIpAddress% action=requireinrequireout description="IPSECtunnel" mode=tunnel enable=yes type=static protocol=any auth1=computerpsk auth1psk=%YourPsk4% qmpfs=none qmsecmethods=!encryptionMode!
echo IPSec configuration successfully set!

REM Print the rules to check them
netsh advfirewall consec show rule name=all verbose

exit

And yes I forgot to mention that there is also a P2P tunnel configured for each link, for example:

#Based on Tobias Brunner's suggestion (strongSwan issue 3175)
#Priorities of drop policies are lower than that of actually negociated policies
conn 10.10.1.62-tunnel-P2P-drop # P2P drop policy
    type=drop
    left=10.10.1.54
    leftsubnet=10.10.1.54/32
    right=10.10.1.62
    rightsubnet=10.10.1.62/32[tcp/502]
    auto=route

Do you see something missing in Windows configuration regarding this "Quick Mode"?

#7 Updated by Tobias Brunner 28 days ago

And yes I forgot to mention that there is also a P2P tunnel configured for each link, for example:

[...]

That's not what I was referring to. There are IKEv2 *tunnel-P2P connections loaded and initiated.

Do you see something missing in Windows configuration regarding this "Quick Mode"?

No idea. May just be Windows doing crap. But IKEv1 is the worst anyway, so I really don't care.

Also available in: Atom PDF