Project

General

Profile

Bug #61

Updated by Andreas Steffen over 8 years ago

1. Node A and node B are connected and both have the appropriate firewall rules automatically added, through leftfirewall. The link is using DPD.

2. Node B dies without a proper shutdown procedure.

3. Node B is rebooted and comes up.

4. Node A triggers a DPD reconnection.

5. Node B reestablishes the connection but does not execute the updown script and no rules are added.

The nodes do remain connected but no traffic can pass through, due to the missing rules.

This is the log output from Node A, running [[OpenSwan]]:

<pre>

Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #2: DPD: No response from peer - declaring peer dead
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #2: DPD: Restarting Connection
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: initiating Main Mode to replace #2
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: ignoring unknown Vendor ID payload [af0a05e0bd37b0aba0135a194abb5b89]
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: received Vendor ID payload [XAUTH]
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: received Vendor ID payload [Dead Peer Detection]
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: received Vendor ID payload [RFC 3947] method set to=109
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: enabling possible NAT-traversal with method 3
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: NAT-Traversal: Result using 3: no NAT detected
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: I am sending my cert
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: I am sending a certificate request
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 15 22:18:50 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: Main mode peer ID is ID_DER_ASN1_DN: 'C=SE, ST=SE, O=Spanga, CN=Solhem Wrt1'
Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: no crl from issuer "C=SE, ST=SE, O=Spanga, CN=spanga.intra" found (strict=no)
Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp1024}
Sep 15 22:18:51 (none) kern.warn plutor23033: "solhemnet-jockenet" #5: Dead Peer Detection (RFC 3706): enabled
</pre>



And Node B, which is running strongSwan U4.2.5/K2.6.25.16:

<pre>

Sep 15 22:17:20 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA
Sep 15 22:17:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA
Sep 15 22:18:20 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: Informational Exchange is for an unknown (expired?) SA
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [4f457a7d4646466667725f65]
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: received Vendor ID payload [Dead Peer Detection]
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: received Vendor ID payload [RFC 3947]
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 83.250.110.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: responding to Main Mode from unknown peer 83.250.110.25
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "spanganet" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xed415af0) not found (maybe expired)
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: packet from 81.232.63.153:500: Informational Exchange is for an unknown (expired?) SA
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: NAT-Traversal: Result using RFC 3947: no NAT detected
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: Peer ID is ID_DER_ASN1_DN: 'C=SE, ST=SE, O=Spanga, OU=Spanga, CN=jock.liotta.info'
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: crl not found
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: certificate status unknown
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: crl not found
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r1 83.250.110.25 #3: certificate status unknown
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r2 83.250.110.25 #3: deleting connection "roadwarrior-wrt" instance with peer 83.250.110.25 {isakmp=#0/ipsec=#0}
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r2 83.250.110.25 #3: we have a cert and are sending it upon request
Sep 15 22:18:50 solhem-wrt1 authpriv.warn plutor1221: "roadwarrior-wrt"r2 83.250.110.25 #3: sent MR3, ISAKMP SA established
</pre>



Here is node B's ipsec.conf:

<pre>

config setup
interfaces=%defaultroute
nat_traversal=yes # required on both ends
uniqueids=yes # makes sense on client, not server
hidetos=no

conn %default
authby=rsasig
keyingtries=0
rekeymargin=5m
rekeyfuzz=10%
keyexchange=ike
left=%defaultroute
leftrsasigkey=%cert
rightrsasigkey=%cert
dpdtimeout=30 # keepalive must arrive within
dpddelay=5 # secs before keepalives start
compress=no # breaks double nat installations
pfs=yes
esp=aes128-sha1,3des-sha1
ike=aes128-sha-modp1024,3des-sha,3des-md5

conn roadwarrior-wrt
leftcert=wrt1-spanga.cer
leftsubnet=192.168.248.0/22
leftsourceip=192.168.251.1
leftfirewall=yes
lefthostaccess=yes
right=%any
rightca="/C=SE/ST=SE/O=Spanga/CN=spanga.intra"
rightsubnetwithin=192.168.0.0/16
dpdaction=clear
auto=add

</pre>



Looking through 'iptables -L' confirms that no firewall rules have been added to node B. If, however ipsec is restarted, then when node A reconnects the proper rules are added to iptables. This can be confirmed by adding a logger checkpoint in the updown script. It does not seem to execute when recovering from DPD.

Back