Strongswan several subnet problem with vpn racoon

Question

I should migrate the current racoon daemon to strongswan on some routers. To do this in operation I have to be able to install strongswan a little at a time, which will have to run a vpn with the racoon daemon. With racoon I was able to run all the vpn configurations with any router and in particular I have configurations with multiple ikev1 subnets.

I enclose a diagram to be as clear as possible

________________ro1___             ______________cli1_
|10.80.81.254/24 ens7-|------------|10.80.81.1/24 ens7|
|                     |            |10.50.81.1/24 ens3|
|                     |            |GW 10.80.81.254   |
|                     |            |__________________|
|                     |            
|10.70.71.1/24 ens9 | | 
|___________________|_|
                    |
                    |
________________ro2_|_ 
|10.70.71.2/24 ens9 | |
|                     |
|                     |            ______________cli2_
|GW 10.70.71.1        |            |GW 10.80.82.254   |
|10.80.82.254/24 ens7-|------------|10.80.82.1/24 ens7| 
|_____________________|            |__________________|

ip route ls cli1
default via 10.80.81.254 dev ens7 onlink
10.50.81.0/24 dev ens3 proto kernel scope link src 10.50.81.1
10.80.81.0/24 dev ens7 proto kernel scope link src 10.80.81.1

ip route ls cli2
default via 10.80.82.254 dev ens7 onlink
10.80.82.0/24 dev ens7 proto kernel scope link src 10.80.82.1

ip route ls ro1
10.50.81.0/24 dev ens7 scope link
10.70.71.0/24 dev ens9 proto kernel scope link src 10.70.71.1
10.70.72.0/24 dev ens10 proto kernel scope link src 10.70.72.1
10.80.81.0/24 dev ens7 proto kernel scope link src 10.80.81.254
10.80.82.0/24 via 10.70.71.2 dev ens9

ip route ls ro2
default via 10.70.71.1 dev ens9 onlink
10.70.71.0/24 dev ens9 proto kernel scope link src 10.70.71.2
10.70.72.0/24 dev ens10 proto kernel scope link src 10.70.72.2
10.80.82.0/24 dev ens7 proto kernel scope link src 10.80.82.254

Without active vpn from the cli1 I can ping to cli2 and from cli2 I can ping cli1

ping cli1 -> cli2
root@cli1:~# ping cli2
PING cli2 (10.80.82.1) 56(84) bytes of data.
64 bytes from cli2 (10.80.82.1): icmp_seq=1 ttl=62 time=0.850 ms
64 bytes from cli2 (10.80.82.1): icmp_seq=2 ttl=62 time=1.16 ms

ping cli2 -> cli1
root@cli2:~# ping cli1
PING cli1 (10.80.81.1) 56(84) bytes of data.
64 bytes from cli1 (10.80.81.1): icmp_seq=1 ttl=62 time=0.927 ms
64 bytes from cli1 (10.80.81.1): icmp_seq=2 ttl=62 time=0.976 ms

root@cli2:~# ping 10.50.81.1
PING 10.50.81.1 (10.50.81.1) 56(84) bytes of data.
64 bytes from 10.50.81.1: icmp_seq=1 ttl=62 time=0.963 ms
64 bytes from 10.50.81.1: icmp_seq=2 ttl=62 time=1.14 ms

I attach the vpn configurations:

vpn ro1 racoon.conf

remote 10.70.71.2 {
        exchange_mode main;
        nat_traversal off;
        initial_contact on;
        generate_policy require;
        lifetime time 12 hours;

        #script "/etc/racoon/router2.up.sh" phase1_up;
        #script "/etc/racoon/router2.down.sh" phase1_down;

        proposal {
                encryption_algorithm 'aes 128';
                authentication_method pre_shared_key;
                hash_algorithm sha1;
                dh_group modp2048;
        }
}

sainfo address 10.80.81.0/24 any address 10.80.82.0/24 any {
        encryption_algorithm 'aes 128';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 4 hours;
        pfs_group modp1024;
}

sainfo address 10.50.81.0/24 any address 10.80.82.0/24 any {
        encryption_algorithm 'aes 128';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 4 hours;
        pfs_group modp1024;
}

vpn ro2 ipsec.conf (strongswan)
conn router1_lin1_loc
   type=tunnel
   authby=secret
   auto=start
   compress=no
   leftfirewall=yes
   rightfirewall=yes
   rekey=yes
   reauth=no
   mobike=no
   left=10.70.71.2
   leftsubnet=10.80.82.0/24
   right=10.70.71.1
   rightsubnet=10.80.81.0/24
   dpdaction = none
   keyexchange=ikev1
   ike=aes128-sha1-modp2048
   ikelifetime=12h
   esp=aes128-sha1-modp1024
   lifetime=4h

conn router1_lin1_dmz
   also=router1_lin1_loc
   leftsubnet=10.80.82.0/24
   rightsubnet=10.50.81.0/24
   auto=route

Start vpn services and everything works properly

root@ro2:/etc/ipsec.d# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
  uptime: 101 seconds, since Nov 19 10:40:36 2019
  malloc: sbrk 2564096, mmap 0, used 710448, free 1853648
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
  10.70.72.2
  10.80.82.254
  10.70.71.2
Connections:
router1_lin1_loc:  10.70.71.2...10.70.71.1  IKEv1
router1_lin1_loc:   local:  [10.70.71.2] uses pre-shared key authentication
router1_lin1_loc:   remote: [10.70.71.1] uses pre-shared key authentication
router1_lin1_loc:   child:  10.80.82.0/24 === 10.80.81.0/24 TUNNEL
router1_lin1_dmz:   child:  10.80.82.0/24 === 10.50.81.0/24 TUNNEL
Routed Connections:
router1_lin1_dmz{1}:  ROUTED, TUNNEL, reqid 1
router1_lin1_dmz{1}:   10.80.82.0/24 === 10.50.81.0/24
Security Associations (1 up, 0 connecting):
router1_lin1_loc[1]: ESTABLISHED 101 seconds ago, 10.70.71.2[10.70.71.2]...10.70.71.1[10.70.71.1]
router1_lin1_loc[1]: IKEv1 SPIs: 7d0ae014b65151bb_i* e9d01ba24b15ce56_r, rekeying in 11 hours
router1_lin1_loc[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
router1_lin1_loc{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd333ba9_i 0d825538_o
router1_lin1_loc{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 2016 bytes_i (24 pkts, 0s ago), 2016 bytes_o (24 pkts, 0s ago), rekeying in 3 hours
router1_lin1_loc{2}:   10.80.82.0/24 === 10.80.81.0/24

In fact the first connection is activated automatically and the two clients ping to win, see the packets received by the vpn, but as soon as the vpn "router1_lin_dmz" is activated, the two clients stop pinging and only ping from cli2 to 10.50.81.1 works

root@ro2:/etc/ipsec.d# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
  uptime: 20 minutes, since Nov 19 10:40:36 2019
  malloc: sbrk 2564096, mmap 0, used 775440, free 1788656
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
  10.70.72.2
  10.80.82.254
  10.70.71.2
Connections:
router1_lin1_loc:  10.70.71.2...10.70.71.1  IKEv1
router1_lin1_loc:   local:  [10.70.71.2] uses pre-shared key authentication
router1_lin1_loc:   remote: [10.70.71.1] uses pre-shared key authentication
router1_lin1_loc:   child:  10.80.82.0/24 === 10.80.81.0/24 TUNNEL
router1_lin1_dmz:   child:  10.80.82.0/24 === 10.50.81.0/24 TUNNEL
Routed Connections:
router1_lin1_dmz{1}:  ROUTED, TUNNEL, reqid 1
router1_lin1_dmz{1}:   10.80.82.0/24 === 10.50.81.0/24
Security Associations (1 up, 0 connecting):
router1_lin1_loc[1]: ESTABLISHED 20 minutes ago, 10.70.71.2[10.70.71.2]...10.70.71.1[10.70.71.1]
router1_lin1_loc[1]: IKEv1 SPIs: 7d0ae014b65151bb_i* e9d01ba24b15ce56_r, rekeying in 11 hours
router1_lin1_loc[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
router1_lin1_loc{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd333ba9_i 0d825538_o
router1_lin1_loc{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 183708 bytes_i (2187 pkts, 7s ago), 183708 bytes_o (2187 pkts, 15s ago), rekeying in 3 hours
router1_lin1_loc{2}:   10.80.82.0/24 === 10.80.81.0/24
router1_lin1_dmz{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c667b3db_i 05449ccb_o
router1_lin1_dmz{3}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 2184 bytes_i (26 pkts, 0s ago), 1092 bytes_o (13 pkts, 0s ago), rekeying in 3 hours
router1_lin1_dmz{3}:   10.80.82.0/24 === 10.50.81.0/24

The strange thing is that after the vpn "router1_lin_dmz" is activated, all the traffic for the 10.80.x.x network ends up in this last vpn as the counter increases why?

Another interesting thing is that the same configuration with two strongswans all works regularly.

root@cli2:~# ping -w 2 -c 3 cli1
PING cli1 (10.80.81.1) 56(84) bytes of data.

--- cli1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 21ms

root@cli2:~# ping -w 2 -c 3 10.50.81.1
PING 10.50.81.1 (10.50.81.1) 56(84) bytes of data.
64 bytes from 10.50.81.1: icmp_seq=1 ttl=62 time=1.08 ms
64 bytes from 10.50.81.1: icmp_seq=2 ttl=62 time=1.04 ms

--- 10.50.81.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 1.037/1.056/1.075/0.019 ms

Yes! with the generate_policy unique rule in racoon.conf it works! Thanks so much @ecdsa !! so does the require rule no longer support racoon side subnets? — manstt, Nov 19 '19 at 14:38
I was deceived because two vpn racoon with that conf worked! ;) Thanks again — manstt, Nov 19 '19 at 14:46

score 1 · Answer 1 · answered Nov 19 '19 at 14:50

With generate_policy require racoon will use the same reqid for each IPsec policy, which means it sends all data through the IPsec SA that has most recently been established. This won't work with strongSwan, which uses separate reqids/SAs for each policy, which means that inbound data gets dropped if it is not intended for the policy with the matching reqid.

To fix this configure generate_policy unique, that way, racoon will use separate/unique reqids too.

Strongswan several subnet problem with vpn racoon

1 Answers1