[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Help!  Problem with Phase 2 SA lifetimes
From:       Charles Gordon <diginetsilicon () hotmail ! com>
Date:       2007-07-03 14:14:33
Message-ID: BAY106-W293F9A7949A36BA44F897CE0C0 () phx ! gbl
[Download RAW message or body]


One more time...Hi,I’m trying to debug an issue with strongSwan 2.8 and the Digi VPN \
server.  The Digi VPN server uses Treck IPSEC.  It appears that the StrongSwan agrees \
to use one phase 2 lifetime, but actuallyuses a different one.  The Digi VPN is \
configured to use 5400seconds for the phase 2 lifetime, and the StrongSwan is \
configuredto use 123 seconds.  The Digi initiates the connection and a 123 second \
lifetime is negotiated at first.  When more data istransmitted from the Digi side \
after the first lifetime expires,the Digi side renegotiates the phase 2 lifetime.  \
The Digi VPN attempts to negotiate a 5400 second lifetime again since that iswhat it \
is configured to use.  This time the StrongSwan sends backa message agreeing to the \
5400 second lifetime.  However, it doesnot use this lifetime value.  Instead, it \
times out the phase 2 connection after 123 seconds.I pasted a section of the \
StrongSwan's log below, with interestingsections marked with **** at the beginning.  \
You can see where itgets the 5400 second proposal from the Digi box, and then \
sendsback a reply agreeing to it, even though it is configured to use123 seconds. Jun \
21 15:35:16 : | parsing 4 raw bytes of ISAKMP Proposal Payload into SPIJun 21 \
15:35:16 : | SPI  6c a5 bb c4Jun 21 15:35:16 : | *****parse ISAKMP Transform Payload \
(ESP):Jun 21 15:35:16 : |    next payload type: ISAKMP_NEXT_NONEJun 21 15:35:16 : |   \
length: 40Jun 21 15:35:16 : |    transform number: 1Jun 21 15:35:16 : |    transform \
ID: ESP_3DESJun 21 15:35:16 : | ******parse ISAKMP IPsec DOI attribute:Jun 21 \
15:35:16 : |    af+type: SA_LIFE_TYPEJun 21 15:35:16 : |    length/value: 1Jun 21 \
15:35:16 : |    [1 is SA_LIFE_TYPE_SECONDS]**** Jun 21 15:35:16 : | ******parse \
ISAKMP IPsec DOI attribute:**** Jun 21 15:35:16 : |    af+type: SA_LIFE_DURATION**** \
Jun 21 15:35:16 : |    length/value: 5400Jun 21 15:35:16 : | ******parse ISAKMP IPsec \
DOI attribute:Jun 21 15:35:16 : |    af+type: SA_LIFE_TYPEJun 21 15:35:16 : |    \
length/value: 2Jun 21 15:35:16 : |    [2 is SA_LIFE_TYPE_KBYTES]Jun 21 15:35:16 : | \
******parse ISAKMP IPsec DOI attribute:Jun 21 15:35:16 : |    af+type: \
SA_LIFE_DURATION (variable length)Jun 21 15:35:16 : |    length/value: 4Jun 21 \
15:35:16 : |    long duration: 4194303Jun 21 15:35:16 : | ******parse ISAKMP IPsec \
DOI attribute:Jun 21 15:35:16 : |    af+type: ENCAPSULATION_MODEJun 21 15:35:16 : |   \
length/value: 1Jun 21 15:35:16 : |    [1 is ENCAPSULATION_MODE_TUNNEL]Jun 21 15:35:16 \
: | ******parse ISAKMP IPsec DOI attribute:Jun 21 15:35:16 : |    af+type: \
AUTH_ALGORITHMJun 21 15:35:16 : |    length/value: 1Jun 21 15:35:16 : |    [1 is \
AUTH_ALGORITHM_HMAC_MD5]Jun 21 15:35:16 : | ******parse ISAKMP IPsec DOI \
attribute:Jun 21 15:35:16 : |    af+type: GROUP_DESCRIPTIONJun 21 15:35:16 : |    \
length/value: 5Jun 21 15:35:16 : |    [5 is OAKLEY_GROUP_MODP1536]Jun 21 15:35:16 : | \
kernel_alg_esp_enc_ok(3,0): alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, \
res=0, ret=1Jun 21 15:35:16 : | kernel_alg_esp_enc_keylen():alg_id=3, keylen=24Jun 21 \
15:35:16 : | ****emit IPsec DOI SIT:Jun 21 15:35:16 : |    IPsec DOI SIT: \
SIT_IDENTITY_ONLYJun 21 15:35:16 : | ****emit ISAKMP Proposal Payload:Jun 21 15:35:16 \
: |    next payload type: ISAKMP_NEXT_NONEJun 21 15:35:16 : |    proposal number: \
1Jun 21 15:35:16 : |    protocol ID: PROTO_IPSEC_ESPJun 21 15:35:16 : |    SPI size: \
4Jun 21 15:35:16 : |    number of transforms: 1Jun 21 15:35:16 : | netlink_get_spi: \
allocated 0x5b23bd06 for esp.0@217.91.93.51Jun 21 15:35:16 : | emitting 4 raw bytes \
of SPI into ISAKMP Proposal PayloadJun 21 15:35:16 : | SPI  5b 23 bd 06Jun 21 \
15:35:16 : | *****emit ISAKMP Transform Payload (ESP):Jun 21 15:35:16 : |    next \
payload type: ISAKMP_NEXT_NONEJun 21 15:35:16 : |    transform number: 1Jun 21 \
15:35:16 : |    transform ID: ESP_3DESJun 21 15:35:16 : | emitting 32 raw bytes of \
attributes into ISAKMP Transform Payload (ESP)***** Jun 21 15:35:16 : | attributes  \
80 01 00 01  80 02 15 18  80 01 00 02  00 02 00 04Jun 21 15:35:16 : |   00 3f ff ff  \
80 04 00 01  80 05 00 01  80 03 00 05Jun 21 15:35:16 : | emitting length of ISAKMP \
Transform Payload (ESP): 40 At this point, the Digi box thinks it has negotiated an \
SA lifetime of 5400 seconds.  However, the strongSwan times out the SA in 123 \
seconds. Has anyone run into this problem before?  Is there a fix for it? Also, can \
anyone point me towards documentation for the configuration options in ipsec.conf?  \
I’d especially like to know exactly what the options related to SA timeouts and \
rekeying do.  _________________________________________________________________
See what you’re getting into…before you go there.
http://newlivehotmail.com
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic