'[strongSwan] Help: recurring network loss between hosts'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Help: recurring network loss between hosts
From:       "teq1uila-strongswan () yahoo ! com" <teq1uila-strongswan () yahoo ! com>
Date:       2019-05-09 8:57:22
Message-ID: 2123264214.10407944.1557392242503 () mail ! yahoo ! com
[Download RAW message or body]

Hello,

I'm using strongswan for a couple of years now, and I'm facing a recurring strange \
behavior, very difficult to track as I'm not that fluent in IPSEC configuration.

The network often goes down between hosts, without any reason, and not always in both \
ways (host1=>host2 may stopped working, with host2=>host1 still working). The only \
solution I found is to restart strongswan on all servers, but I'm sure this is a very \
bad solution :)

If someone can have a rapid look at the following in case something is so evident I \
should have noticed it... I'm also interresting in a way to analyze the situation, if \
it helps.

My goal is to have specific hosts communicating together with IPSEC encryption.
Let say with 3 hosts host1, host2 and host3:
- host1 <=> host2 encrypted
- host1 <=> host3 encrypted
- host2 <=> host3 encrypted
All hosts have 2 network cards, one connected to the network (192.*), and on on a \
private network (10.*)

NOTE: due to a required compatbility with Windows, I'm still using IKEv1 and not v2.

To achieve this, I've just installed strongswan (strongswan-5.6.1-2.el7.x86_64) on \
all servers, generate a certificate for each host (from a common CA), and configured \
ipsec.conf and ipsec.secrets file. All configuration files are the the same on all 3 \
                servers, changing only the according IP and host names, of course.
- /etc/strongswan/ipsec.d/cacerts/ca.crt : the CA
- /etc/strongswan/ipsec.d/certs/server.crt : the host public key
- /etc/strongswan/ipsec.d/private/server.key : the host private key
- /etc/strongswan/ipsec.secrets
> RSA server.key
- /etc/strongswan/ipsec.conf (for host1)
config setup
            uniqueids = no
conn "AutoConfig Enc host1"
            auto=ignore
            type=transport
            keyexchange=ikev1
            authby=rsasig
            ike=aes256-sha256-modp2048!
            esp=aes256gcm128-aes256gmac-modp2048!
            ikelifetime=8h
            lifetime=1h
            lifebytes=10000000000
            leftcert=server-host1.crt
            leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1, E=user@host.com"
conn "AutoConfig Enc host1-1"
            auto=ignore
            type=transport
            keyexchange=ikev1
            authby=rsasig
            ike=aes256-sha256-modp2048!
            esp=aes256gcm128-aes256gmac-modp2048!
            ikelifetime=8h
            lifetime=1h
            lifebytes=10000000000
            leftcert=server-host1-1.crt
            leftid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host1-1, E=user@host.com"
conn "AutoConfig tcp host1:* <-> host2:*"
            also="AutoConfig Enc host1"
            auto=route
            left=190.0.0.1
            leftsubnet=190.0.0.1[tcp/%any]
            right=190.0.0.2
            rightsubnet=190.0.0.2[tcp/%any]
            rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2, E=user@host.com"
conn "AutoConfig tcp host1:* <-> host3:*"
            also="AutoConfig Enc host1"
            auto=route
            left=190.0.0.1
            leftsubnet=190.0.0.1[tcp/%any]
            right=190.0.0.3
            rightsubnet=190.0.0.3[tcp/%any]
            rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3, E=user@host.com"
conn "AutoConfig tcp host1-1:* <-> host2-1:*"
            also="AutoConfig Enc host1-1"
            auto=route
            left=10.0.0.1
            leftsubnet=10.0.0.1[tcp/%any]
            right=10.0.0.2
            rightsubnet=10.0.0.2[tcp/%any]
            rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host2-1, E=user@host.com"
conn "AutoConfig tcp host1-1:* <-> host3-1:*"
            also="AutoConfig Enc host1-1"
            auto=route
            left=10.0.0.1
            leftsubnet=10.0.0.1[tcp/%any]
            right=10.0.0.3
            rightsubnet=10.0.0.3[tcp/%any]
            rightid="C=fr, ST=fr, L=fr, O=fr, OU=fr, CN=host3-1, E=user@host.com"

#iptables -S (for host1)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -s 190.0.0.2/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
                --dir in --pol ipsec -j ACCEPT
-A INPUT -s 190.0.0.3/32 -d 190.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
                --dir in --pol ipsec -j ACCEPT
-A INPUT -s 10.0.0.2/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
                --dir in --pol ipsec -j ACCEPT
-A INPUT -s 10.0.0.3/32 -d 10.0.0.1/32 -p tcp -m state --state NEW -m tcp -m policy \
                --dir in --pol ipsec -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Many thanks,
Christian


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic