ipsec rekeying not working

ServerCat · April 02, 2024, 06:32:13 PM

The IPsec tunnel dont rekeying. So after 1 hour the connection get lost.

The Server log some proposal problem.


2024-04-02T17:58:06	Informational	charon	16[CFG] < 2de0136f-6cbc-421a-80aa-3729176f844e|421> configured proposals: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ	
2024-04-02T17:58:06	Informational	charon	16[CFG] < 2de0136f-6cbc-421a-80aa-3729176f844e|421> received proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ

The client log the same.

This is the config.

Code Select

# This file is automatically generated. Do not edit
connections {
    2de0136f-6cbc-421a-80aa-3729176f844e {
        proposals =  aes256gcm16-sha256-modp2048
        unique = no
        aggressive = no
        version = 2
        mobike = no
        local_addrs = my.address.com
        encap = yes
        rekey_time = 600
        dpd_delay = 30
        pools = PoolA
        send_certreq = yes
        keyingtries = 0
        local-fc3a7fbe-732d-4ee4-890b-f725d40125e8 {
            round = 0
            auth = pubkey
            id = my.address.com
            certs = 654269e2e801b.crt
        }
        remote-544f43ac-e76a-4d3a-9db6-57ff389b5b0f {
            round = 0
            auth = eap-radius
            id = ConnectionA
            eap_id = %any
            groups = GroupA
        }
        children {
            cab66875-3b0a-456c-ab01-e5af7fd9a621 {
                esp_proposals = aes256gcm16-sha256-modp2048
                sha256_96 = no
                start_action = trap|start
                close_action = trap
                dpd_action = clear
                mode = tunnel
                policies = yes
                local_ts = 192.168.10.0/24,192.168.100.0/24,192.168.50.0/24
                rekey_time = 3600
                updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child cab66875-3b0a-456c-ab01-e5af7fd9a621
            }
        }
    }
}
pools {
    PoolA {
        addrs = 10.30.150.0/24
        dns = 192.168.10.1
    }
}
secrets {
}
# Include config snippets
include conf.d/*.conf

I have been tryed diffrent child proposals. But i didn't can find a right one. In my opinion there is an match with AES_GCM_16_256.

Any ideas?

ServerCat · April 09, 2024, 02:32:21 PM

I have it! Im using Ubuntu as an client. The Network-Manager Addon don't use the Perfect Forward Secrecy (PFS) by default. This mean no DH Group have to be configurated in the server side proposal settings. This was the reason for proposal missmatching.

So i can either use the "insecure" aes256-sah256 proposal on the server in the child or define an proposal on client side. On Ubuntu is a little bit hidden, on the bottom of Identity Tab, click at Algorithms.

PFS description on strongswan website https://docs.strongswan.org/docs/5.9/config/rekeying.html

ipsec rekeying not working

ServerCat

April 02, 2024, 06:32:13 PM

ServerCat

April 09, 2024, 02:32:21 PM #1