Bug #61
When recovering from DPD, firewall rules aren't added as necessary
Description
1. Node A and node B are connected and both have the appropriate firewall rules automatically added, through leftfirewall. The link is using DPD.
2. Node B dies without a proper shutdown procedure.
3. Node B is rebooted and comes up.
4. Node A triggers a DPD reconnection.
5. Node B reestablishes the connection but does not execute the updown script and no rules are added.
The nodes do remain connected but no traffic can pass through, due to the missing rules.
This is the log output from Node A, running OpenSwan:
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #2: DPD: No response from peer - declaring peer dead Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #2: DPD: Restarting Connection Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: initiating Main Mode to replace #2 Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: ignoring unknown Vendor ID payload [af0a05e0bd37b0aba0135a194abb5b89] Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: received Vendor ID payload [XAUTH] Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: received Vendor ID payload [Dead Peer Detection] Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: received Vendor ID payload [RFC 3947] method set to=109 Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: enabling possible NAT-traversal with method 3 Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: STATE_MAIN_I2: sent MI2, expecting MR2 Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: NAT-Traversal: Result using 3: no NAT detected Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: I am sending my cert Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: I am sending a certificate request Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: STATE_MAIN_I3: sent MI3, expecting MR3 Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: Main mode peer ID is ID_DER_ASN1_DN: 'C=SE, ST=SE, O=Spanga, CN=Solhem Wrt1' Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: no crl from issuer "C=SE, ST=SE, O=Spanga, CN=spanga.intra" found (strict=no) Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp1024} Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: Dead Peer Detection (RFC 3706): enabled
And Node B, which is running strongSwan U4.2.5/K2.6.25.16:
Sep 15 22:17:20 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA Sep 15 22:17:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA Sep 15 22:18:20 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [4f457a7d4646466667725f65] Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: received Vendor ID payload [Dead Peer Detection] Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: received Vendor ID payload [RFC 3947] Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: responding to Main Mode from unknown peer 83.250.110.25 Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "spanganet" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xed415af0) not found (maybe expired) Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 81.232.63.153:500: Informational Exchange is for an unknown (expired?) SA Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: NAT-Traversal: Result using RFC 3947: no NAT detected Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: Peer ID is ID_DER_ASN1_DN: 'C=SE, ST=SE, O=Spanga, OU=Spanga, CN=jock.liotta.info' Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: crl not found Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: certificate status unknown Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: crl not found Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: certificate status unknown Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r2 83.250.110.25 #3: deleting connection "roadwarrior-wrt" instance with peer 83.250.110.25 {isakmp=#0/ipsec=#0} Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r2 83.250.110.25 #3: we have a cert and are sending it upon request Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r2 83.250.110.25 #3: sent MR3, ISAKMP SA established
Here is node B's ipsec.conf:
config setup interfaces=%defaultroute nat_traversal=yes # required on both ends uniqueids=yes # makes sense on client, not server hidetos=no conn %default authby=rsasig keyingtries=0 rekeymargin=5m rekeyfuzz=10% keyexchange=ike left=%defaultroute leftrsasigkey=%cert rightrsasigkey=%cert dpdtimeout=30 # keepalive must arrive within dpddelay=5 # secs before keepalives start compress=no # breaks double nat installations pfs=yes esp=aes128-sha1,3des-sha1 ike=aes128-sha-modp1024,3des-sha,3des-md5 conn roadwarrior-wrt leftcert=wrt1-spanga.cer leftsubnet=192.168.248.0/22 leftsourceip=192.168.251.1 leftfirewall=yes lefthostaccess=yes right=%any rightca="/C=SE/ST=SE/O=Spanga/CN=spanga.intra" rightsubnetwithin=192.168.0.0/16 dpdaction=clear auto=add
Looking through 'iptables -L' confirms that no firewall rules have been added to node B. If, however ipsec is restarted, then when node A reconnects the proper rules are added to iptables. This can be confirmed by adding a logger checkpoint in the updown script. It does not seem to execute when recovering from DPD.
History
#1 Updated by Martin Willi over 13 years ago
The necessary IP route is also missing from 'ip route list table 220', which should have been added by the updown script.
#2 Updated by Andreas Steffen about 9 years ago
- Description updated (diff)
- Category changed from starter to pluto
- Status changed from New to Closed
Closed because we don't support the pluto IKEv1 daemon any more.