Re: [Users] QuickMode rekey problem with directly attached network

From: John A. Sullivan III (John.Sullivan_at_nexusmgmt.com)
Date: Mon Oct 07 2002 - 13:46:36 CEST

• Next message: Mathieu DESPRIEE: "[Users] Speedup tunnel renegociation"
• Previous message: Stephen J. Bevan: "[Users] IPSec (FreeSWAN) gateway behind a NAT box."
• In reply to: Sam Sgro: "Re: [Users] QuickMode rekey problem with directly attached network"
• Next in thread: John A. Sullivan III: "Re: [Users] QuickMode rekey problem with directly attached network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        Sorry about omitting the Free S/WAN details. I'm using 1.98b with x509
0.9.14 NAT-T 0.3, notify_delete 020724, and the aes patches.
        Here is all the information for the PhaseII rekey problem. I've
attached two files. GNOCprob.all.tar.bz2 contains information pertinent
to all the issues. It contains a barf of the working configuration, as
well as all the files involved in the updown sequence.
        The second file is GNOCprob.FailPhaseII.tar.bz2. It contains the barf
after the problem, the Sentinel IKE logs and an ethereal packet trace in
libpcap format. The sequence of events is as follows for this file:
1) stop ipsec
2) clear all logs
3) start the trace capturing all traffic on private segment to and from
Sentinel client
4) start ipsec
5) boot Win98
6) turn on Sentinel IKE logging
7) activate Sentinel VPN connection
8) successful ping to remote network
9) FreeS/WAN downs connection because it has not successfully rekeyed
10) stop ipsec

        There is one missing log. I did enable auditing within Sentinel for
all IKE traffic. It shows packets flowing in and out when the session
is established between 192.168.110.121 (Sentinel client) and
192.168.110.7 (private address of FSW1). However, when FSW1 attempts to
rekey, we see a packet coming in from 24.52.141.246 (the public address
of FSW1) but no reply packet.

        Again, in summary, it appears that the session is set up properly.
FreeS/WAN attempts to rekey on the private interface but uses the public
IP address. Sentinel does not recognize that rekey as belonging to any
VPN it knows about since the VPN conneciton it knows about is with the
private IP address. Sentinel doesn't respond to the rekey attempts.
Free S/WAN downs the connection when it cannot successfully rekey.

        I have all the same information for the rekey problem but have not
attached it here. I thought it best to separate the problems plus, I
suspect that the problem is that Free S/WAN is timing out the IPSec SA
according to the default lifetimes but is not rekeying. If the SA's
expire before Sentinel rekeys, the connection will go down. I'll retry
with long key lifetimes on the part of Free S/WAN with rekey=no and see
if that solves the problem.
        Nonetheless, I'd still like to get to the bottom of why Free S/WAN
properly rekeys on the private interface but with the public address
even though left=privateip and leftnexthop=%direct. Once we solve that,
I won't have to worry about a workaround. Thanks - John

On Mon, 2002-10-07 at 01:41, Sam Sgro wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On 3 Oct 2002, John A. Sullivan III wrote:
>
> I'm going to need a barf; details follow. You haven't specified what
> version of X.509/FreeS/WAN you are using, which will come out in that barf.
>
> > 1) rekey=no would seem to be a plausible workaround but does not work.
> > Why? Have I misunderstood its purpose? I thought it was supposed to stop
> > Free S/WAN from renegotiating Phase I and Phase II.
>
> - From the man page for ipsec_pluto:
>
> --dontrekey
> Do not initiate rekeying. This applies to Phase 1 and Phase 2.
> This is currently the only automatic way for a connection to
> terminate. It may be useful with Road Warrior or Opportunistic
> connections.
>
> The pluto behavior you are experiencing is aberrant.
>
> > 2) The original set up would work if Free S/WAN knew to rekey using the
> > appropriate interface IP address but it doesn't. Smells like a design
> > issue.
>
> This may be true.
>
> So, as to both points 1 and 2, let's see a very, very large barf. Turn
> both plutodebug=all and klipsdebug=all, so we can see the problem in action.
>
> For the time being, turn up ikelifetime to 8h, and use rekey=no. Your users
> should find that tolerable, I hope.
>
> - --
> Sam Sgro
> sam_at_freeswan.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPaEeeEOSC4btEQUtAQGtFgQA2wkSVeQFXdlnF0rCq7oti1SyIt4a1rlx
> T+rX05tFudOx0GkXmNkz7qxQsa2IPbR21t1wd9N9Zlme16fsX08Y19ageRFi5F1G
> TgmzJRW7bNPdQM/BbNb3r2Scdjo2UmkXvU9YNVQDlWj9Z1njCGENv+SFfRGz2cdH
> 8qY8MnSzja4=
> =ybeh
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

-- 
John A. Sullivan III
Group Technology Director
Nexus Management
+1 207-985-7880
John.Sullivan_at_nexusmgmt.com

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• application/x-bzip attachment: GNOCprob.FailPhaseII.tar.bz2

• application/x-bzip attachment: GNOCprob.all.tar.bz2

• Next message: Mathieu DESPRIEE: "[Users] Speedup tunnel renegociation"
• Previous message: Stephen J. Bevan: "[Users] IPSec (FreeSWAN) gateway behind a NAT box."
• In reply to: Sam Sgro: "Re: [Users] QuickMode rekey problem with directly attached network"
• Next in thread: John A. Sullivan III: "Re: [Users] QuickMode rekey problem with directly attached network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Oct 08 2002 - 05:20:20 CEST