From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IPsec default to rekey=no - tests Date: Fri, 05 Jun 2015 16:30:26 +0200 Message-ID: <1433514626.27049.21.camel@ipfire.org> In-Reply-To: <000c01d09f97$4b484550$e1d8cff0$@apolinarski.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7051753674435867867==" List-Id: --===============7051753674435867867== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello, On Fri, 2015-06-05 at 15:55 +0200, Wolfgang Apolinarski wrote: > Hi! > > I performed some tests with ipfire and the Windows VPN client (for the > rekey=no issue). I usually use short-time VPN connections (<3 hours), so I > did not recognize any problems. > > During the tests, I did not find any configuration that allowed me a stable > VPN connection, all connections drop after 3-4 hours (IKE re-negotiation, > CHILD_SA re-negotiation works fine). The problem could also be located in > one of the used routers... If you have any suggestion on what configuration > I should test as well, please let me know. This clearly is the IKE re-negotiation. The messages suggest that from the log below and the configuration, too. > My default configuration (1st try): > conn WinAndroidVPN > left=%defaultroute > leftsubnet=0.0.0.0/0 > leftfirewall=yes > lefthostaccess=yes > leftallowany=yes > leftcert=/var/ipfire/certs/hostcert.pem > ike=aes256-sha1-modp1024! > esp=aes256-sha1! > right=%any > keyexchange=ikev2 > compress=yes > dpdaction=clear > dpddelay=30s > auto=add > rightsourceip=%dhcp > ikelifetime=4h > lifetime=2h > keylife=8h > rightcert=/var/ipfire/certs/WinAndroidVPNcert.pem > > The protocol for this config is located here: http://pastebin.com/iXjjp71R > > 2nd try changes: > ikelifetime=4h > lifetime=90m > The protocol for the 2nd config is located here: > http://pastebin.com/xyarBvub > > 3rd try changes: > rekey=no > ikelifetime=4h > lifetime=2h > The protocol for the 3rd config is located here: > http://pastebin.com/jmPNzxUX > > So, sorry, I was not able to find a stable connection and have no suggestion > on how to change the default config such that a stable connection with > Windows 7/8.1 is possible. Have you tried to capture the packets on the client as well and check if the IKE messages reach that system? strongSwan had some bugs/features? in the past where it ignored IKE messages. Maybe that is the case in the Windows client - or maybe that is something in the standard. That way we can at least make sure that there is some other NAT router that is causing the problems... Best, -Michael > > Best regards, > Wolfgang > > > --===============7051753674435867867== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlZjYktDQUFvSkVJQjU4UDl2a0FrSHFKa1FBTGNUcUNXS2NMbXNPeU9VYUtrbWxrVWwK ZHM5U2ppa1dFTUtDc1NCbUs0ZW1ZektLaHltNTA1ZTlTSXMvYWVtcW5SK29OOHRxbHhaUEwxY1JX d2RDY3l2cAphMUZLQ1VUNnRhNmJoUW1RQ0dmWnJaWE82eUFDZUI4a0FpaDNWb0NLNVcyWllPWUh6 MHVGVnRzb1IvazhFb2ZECnBIaGVKcld6YTVUek55MDdzbUhMNlVBTnk1OWwyMG1sWlAyNXVFellI dGZoS1M4clU0VEp1S01GaWt0Ly84SHgKYUhhOWRYS0JVN3BjdSttNzVkMmJPK0NqeHNqT1F2Yk5h c1Fua3ZZSWxxelR5WU5CRmN3WCtXWEEwVUttSWN5egpyeE5NOGQwWTFyZmZMWlhFZ0p5Sy84R0Fr VlUrckxHcnZESTc2aEN0NG9ZdnBreUYxWmo1NHVyL2VTalZPWHphCjVKR3RsWnBoeTVublZMM0hD bUt1cXppaGhpamhWZzRoTFFITmxlSEYzZ0E1d3ErczRmWGhkaURRR0c5bjl1ZU0KaEhBdG1ZV0VN eTNzNHhYZWoyQnVxdUlYVVFiRFR3RlBvOXRhZm95QVVlbTAyRzRucDBaRUpCN3RvM1ZWNUg0ZQpB Qnp0THJFVTJVTzJOKyt0YTVLOTB1YmJVdjY4RDNhdVA5RCs5cHVseXVjdmRMNTdDZGRpRXBkZDVU UWhHWU5sCkpCamVWRE9PQ0U3U0tGb1czb1FrWHRXTitDSjJ5YzdXa1c0aDRpaWs2eXBGM29nQXpl eHc3TSttamF1ZFUzdk8KcUtvL0ZmN29zbGlHOHFORnNUazVXNjlTMXZQZTdvaU5hWE1QV2lTRkIy TUdzZksvemsvRzdZWU1hT25DYVlqawpYalJPV2ZTV0NvN2hVVWtlZVBKVgo9WlhPcQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============7051753674435867867==--