2.13 Core 65 and 66 IPSec connection breaks down after one hour

Help on building IPFire & Feature Requests
AngelKing
Posts: 25
Joined: January 26th, 2012, 9:58 am

2.13 Core 65 and 66 IPSec connection breaks down after one hour

Post by AngelKing » February 11th, 2013, 10:10 am

Hello,

i upgraded IPFire from 2.11 Core 65 to 2.13 Core 65. After this upgrade all working fine, but my IPSec VPN to an Cisco VPN Server breaks down after one hour. I´ve solved this by an workaround that restards the ipsec connections of the host behind the tunnel is not reachable.

Before this upgrad i´ve no problems with vpn. The problem is already known?

Thanks a lot!
Last edited by AngelKing on February 21st, 2013, 9:28 am, edited 1 time in total.

Jan_B
Posts: 83
Joined: June 28th, 2011, 10:43 am
Location: Bremen

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Jan_B » February 11th, 2013, 4:55 pm

Hi,

I encountered common problems, also with Cisco Peer and also with upgrade from 2.11 to 2.13.
Wasn't able to start the connection, it worked for about an hour when the Cisco side made an "active" connect and they told me our gateway did not even try to connect. After one hour the connection broke.

At this time I decided to not call again the Cisco People and downgraded to ipfire 2.11 (new install and restore from backup). Everything fine there, ipfire made active try to connect to cisco and was succesful with that.

Regards
Image
Image
Image
Image

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Arne.F » February 11th, 2013, 6:14 pm

Downgrade to 2.11 is no solution!
Can you provide logs.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

Jan_B
Posts: 83
Joined: June 28th, 2011, 10:43 am
Location: Bremen

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Jan_B » February 11th, 2013, 8:32 pm

Of course it is not a solution forever, but it was productive and the business had to go on. We have no tunnels to test with, so that could not been figured out before.
Can you tell me which logfiles would be helpful?
I did not format the failed 2.13 machine yet, so I could grab any logfile.
Image
Image
Image
Image

AngelKing
Posts: 25
Joined: January 26th, 2012, 9:58 am

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by AngelKing » February 11th, 2013, 8:35 pm

I think it is the DPD was not work correctly in 2.13

Please provide me the log options that you need for the debug.

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Arne.F » February 12th, 2013, 12:35 pm

The IPSec outout will be logged to /var/log/messages and can viewed in the webif logviewer in the category IPSec.

I had no problems with dead peer detection between two IPFire systems. Have you configured the tunnel for IKEv1 or IKEv2? IPFire accept both for incoming connections but use only the configured for outgoing.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

AngelKing
Posts: 25
Joined: January 26th, 2012, 9:58 am

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by AngelKing » February 14th, 2013, 8:28 am

I use IKEv1.

log is attached

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Arne.F » February 14th, 2013, 1:59 pm

Is there a out-of-memory problem or red reconnect?
charon terminates without logged reason and restarts very often in your log.
can you provide also the other sections from the same timeframe. (/var/log/messages)
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

AngelKing
Posts: 25
Joined: January 26th, 2012, 9:58 am

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by AngelKing » February 14th, 2013, 2:29 pm

Okay here is the full log.

I have a script that restarts the IpSec Daemon if the remote host is not reachable. Without this script the ipsec daemon stopp working after the first disconnect.

Regards

AngelKing
Posts: 25
Joined: January 26th, 2012, 9:58 am

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by AngelKing » February 20th, 2013, 11:42 am

Problem still exists in 2.13 Core 66. I have updated my restart script to check the problem in a logfile.

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Arne.F » February 20th, 2013, 11:53 am

In the log of Jan_B i have found a warning that his cisco peers does not support DPD.
Without DPD the connection can break and will not autorestarted by strongswan so i think the script workaround is the only soluition. (Or contact cisco to get DPD working.)
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

Jan_B
Posts: 83
Joined: June 28th, 2011, 10:43 am
Location: Bremen

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Jan_B » February 20th, 2013, 7:37 pm

Seems like it is not only my Cisco peers which are treated as "no DPD".

Ipfire simply declares every peer with "DPD not supported by peer, disabled". This just can't be true.
Only IKEv1 connections are configured and break after some time.
With manual restart of the affected connection(s) it is fixed again for some time.

Something is very strange with the new strongswan.
Will next core Upgrade restore old strongswan version, please?  :D :D
Last edited by Jan_B on February 20th, 2013, 8:49 pm, edited 1 time in total.
Image
Image
Image
Image

Jan_B
Posts: 83
Joined: June 28th, 2011, 10:43 am
Location: Bremen

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by Jan_B » February 20th, 2013, 7:57 pm

This part is not happening where the connections break.
06:46:42 charon: 11[IKE] reauthenticating IKE_SA connname[14]
06:46:42 charon: 11[IKE] reauthenticating IKE_SA connname[14]
06:46:42 charon: 11[IKE] initiating Main Mode IKE_SA connname[15] to public.ip
06:46:42 charon: 11[IKE] initiating Main Mode IKE_SA connname[15] to public.ip

This log is from other ipfire which does not have these problems.
Here he also gets this while "ipsec up":
...
received DPD vendor ID
...

It is also IKEv1 and also has same configuration(IKE and ESP encryption,DH-Group etc) as two other connections on other ipfire. Can't swear but I think this is also a cisco peer.




One difference here is that keylifetime > ikelifetime
On the problematic ipfire there is the opposite.

I will give it a try with switching the numbers between keylife and ikelifetime.
You will read about.

Okay all but one broken, so that was not the fix.

Here the log:
21:25:47 charon: 09[IKE] closing CHILD_SA connname1{4} with SPIs c8203acc_i (0 bytes) 9c1e2301_o (0 byt es) and TS local.net/24 === remote.localnet.1/24
21:25:47 charon: 09[IKE] closing CHILD_SA connname1{4} with SPIs c8203acc_i (0 bytes) 9c1e2301_o (0 byt es) and TS local.net/24 === remote.localnet.1/24
21:25:47 charon: 14[IKE] deleting IKE_SA connname1[5] between own.public.ip[own.public.ip]...remote1.public.ip[remote1.public.ip]
21:25:47 charon: 14[IKE] deleting IKE_SA connname1[5] between own.public.ip[own.public.ip]...remote1.public.ip[remote1.public.ip]
21:25:52 charon: 10[IKE] closing CHILD_SA connname2{5} with SPIs c07a0643_i (0 bytes) dc0b 5d30_o (0 bytes) and TS local.net/24 === remote.localnet.2/32
21:25:52 charon: 10[IKE] closing CHILD_SA connname2{5} with SPIs c07a0643_i (0 bytes) dc0b 5d30_o (0 bytes) and TS local.net/24 === remote.localnet.2/32
21:25:52 charon: 12[IKE] deleting IKE_SA connname2[3] between own.public.ip[own.public.ip]...remote2.public.ip[remote2.public.ip]
21:25:52 charon: 12[IKE] deleting IKE_SA connname2[3] between own.public.ip[own.public.ip]...remote2.public.ip[remote2.public.ip]
21:25:58 charon: 09[IKE] closing CHILD_SA connname3{1} with SPIs cc94e7fc_i (0 bytes) 9afe7033_o (0 byt es) and TS local.net/24 === remote.localnet.3/24
21:25:58 charon: 09[IKE] closing CHILD_SA connname3{1} with SPIs cc94e7fc_i (0 bytes) 9afe7033_o (0 byt es) and TS local.net/24 === remote.localnet.3/24
21:25:58 charon: 14[IKE] deleting IKE_SA connname3[1] between own.public.ip[own.public.ip]...remote3.public.ip[remote3.public.ip]
21:25:58 charon: 14[IKE] deleting IKE_SA connname3[1] between own.public.ip[own.public.ip]...remote3.public.ip[remote3.public.ip]

Nothing afterwards, just stayed dead.
Last edited by Jan_B on February 20th, 2013, 8:34 pm, edited 1 time in total.
Image
Image
Image
Image

AngelKing
Posts: 25
Joined: January 26th, 2012, 9:58 am

Re: 2.13 Core 65 IPSec connection breaks down after one hour

Post by AngelKing » February 21st, 2013, 9:27 am

From the Ciso side the key lifetime from phase 1 is set to 24 hours but in the ipfire i only can set 8 hours.

Here is my restart log

IPSEC restarded on 20-02-2013-10:25:13
IPSEC restarded on 20-02-2013-10:25:59
IPSEC restarded on 20-02-2013-10:26:13
IPSEC restarded on 20-02-2013-14:57:13
IPSEC restarded on 20-02-2013-16:28:13
IPSEC restarded on 20-02-2013-17:14:13
IPSEC restarded on 20-02-2013-18:00:13
IPSEC restarded on 20-02-2013-18:46:13
IPSEC restarded on 20-02-2013-21:02:13
IPSEC restarded on 20-02-2013-22:33:13
IPSEC restarded on 20-02-2013-23:19:13
IPSEC restarded on 21-02-2013-00:05:13
IPSEC restarded on 21-02-2013-00:51:13
IPSEC restarded on 21-02-2013-01:37:13
IPSEC restarded on 21-02-2013-02:23:13
IPSEC restarded on 21-02-2013-03:46:13
IPSEC restarded on 21-02-2013-04:32:13
IPSEC restarded on 21-02-2013-05:18:13
IPSEC restarded on 21-02-2013-06:04:13
IPSEC restarded on 21-02-2013-06:50:13
IPSEC restarded on 21-02-2013-07:36:13
IPSEC restarded on 21-02-2013-08:22:13
IPSEC restarded on 21-02-2013-09:08:13
IPSEC restarded on 21-02-2013-09:54:13

my script ping the host on the other side of the vpn every minute to check if the vpn is connected

Jan_B
Posts: 83
Joined: June 28th, 2011, 10:43 am
Location: Bremen

Re: 2.13 Core 65 and 66 IPSec connection breaks down after one hour

Post by Jan_B » February 21st, 2013, 5:19 pm

Today I also introduced a script to check two main tunnels.
Where does your script log to? Is it possible to log into the IPSec section of the web interface?

Would you like to share your script? I can show you mine... but it pings only a client of the remote gateway. On success nothing happens, on fail it is executing "ipsec up connname".

nvm will downgrade once more.
Last edited by Jan_B on February 22nd, 2013, 8:42 pm, edited 1 time in total.
Image
Image
Image
Image

Post Reply