[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] Help: recurring network loss between hosts
From: "teq1uila-strongswan () yahoo ! com" <teq1uila-strongswan () yahoo ! com>
Date: 2019-05-09 8:57:22
Message-ID: 2123264214.10407944.1557392242503 () mail ! yahoo ! com
[Download RAW message or body]
Hello,
I'm using strongswan for a couple of years now, and I'm facing a recurring strange \
behavior, very difficult to track as I'm not that fluent in IPSEC configuration.
The network often goes down between hosts, without any reason, and not always in both \
ways (host1=>host2 may stopped working, with host2=>host1 still working). The only \
solution I found is to restart strongswan on all servers, but I'm sure this is a very \
bad solution :)
If someone can have a rapid look at the following in case something is so evident I \
should have noticed it... I'm also interresting in a way to analyze the situation, if \
it helps.
My goal is to have specific hosts communicating together with IPSEC encryption.
Let say with 3 hosts host1, host2 and host3:
- host1 <=> host2 encrypted
- host1 <=> host3 encrypted
- host2 <=> host3 encrypted
All hosts have 2 network cards, one connected to the network (192.*), and on on a \
private network (10.*)
NOTE: due to a required compatbility with Windows, I'm still using IKEv1 and not v2.
To achieve this, I've just installed strongswan (strongswan-5.6.1-2.el7.x86_64) on \
all servers, generate a certificate for each host (from a common CA), and configured \
ipsec.conf and ipsec.secrets file. All configuration files are the the same on all 3 \
servers, changing only the according IP and host names, of course.
- /etc/strongswan/ipsec.d/cacerts/ca.crt : the CA
- /etc/strongswan/ipsec.d/certs/server.crt : the host public key
- /etc/strongswan/ipsec.d/private/server.key : the host private key
- /etc/strongswan/ipsec.secrets
> RSA server.key
- /etc/strongswan/ipsec.conf (for host1)
config setup
uniqueids = no
conn "AutoConfig Enc host1"
auto=ignore
type=transport
keyexchange=ikev1
authby=rsasig
ike=aes256-sha256-modp2048!
esp=aes256gcm128-aes256gmac-modp2048!
ikelifetime=8h
lifetime=1h
lifebytes=10000000000
leftcert=server-host1.crt
leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1, E=user@host.com"
conn "AutoConfig Enc host1-1"
auto=ignore
type=transport
keyexchange=ikev1
authby=rsasig
ike=aes256-sha256-modp2048!
esp=aes256gcm128-aes256gmac-modp2048!
ikelifetime=8h
lifetime=1h
lifebytes=10000000000
leftcert=server-host1-1.crt
leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1-1, E=user@host.com"
conn "AutoConfig tcp host1:* <-> host2:*"
also="AutoConfig Enc host1"
auto=route
left=190.0.0.1
leftsubnet=190.0.0.1[tcp/%any]
right=190.0.0.2
rightsubnet=190.0.0.2[tcp/%any]
rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2, E=user@host.com"
conn "AutoConfig tcp host1:* <-> host3:*"
also="AutoConfig Enc host1"
auto=route
left=190.0.0.1
leftsubnet=190.0.0.1[tcp/%any]
right=190.0.0.3
rightsubnet=190.0.0.3[tcp/%any]
rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3, E=user@host.com"
conn "AutoConfig tcp host1-1:* <-> host2-1:*"
also="AutoConfig Enc host1-1"
auto=route
left=10.0.0.1
leftsubnet=10.0.0.1[tcp/%any]
right=10.0.0.2
rightsubnet=10.0.0.2[tcp/%any]
rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2-1, E=user@host.com"
conn "AutoConfig tcp host1-1:* <-> host3-1:*"
also="AutoConfig Enc host1-1"
auto=route
left=10.0.0.1
leftsubnet=10.0.0.1[tcp/%any]
right=10.0.0.3
rightsubnet=10.0.0.3[tcp/%any]
rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3-1, E=user@host.com"
#iptables -S (for host1)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -s 190.0.0.2/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
--dir in --pol ipsec -j ACCEPT
-A INPUT -s 190.0.0.3/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
--dir in --pol ipsec -j ACCEPT
-A INPUT -s 10.0.0.2/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
--dir in --pol ipsec -j ACCEPT
-A INPUT -s 10.0.0.3/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
--dir in --pol ipsec -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Many thanks,
Christian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic