I there I've got a lot of problems putting a IKE2 point to point connection
stable between OpenBSD/OpenIKED and VyOS/Strongswan.
Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE
transport. Gre tunnel is builded above and keepalive work in all the two
sides, because I've changed the beaviour of the tun interface in linux.
This is the error that I've got also in the OpenBSD side:
Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Here you are the Strongswan configuration:
conn XXXX
keyexchange=ikev2
type=transport
auto=start
reauth=no
ikelifetime=1h
dpdaction=restart
dpddelay=15
dpdtimeout=1
closeaction=restart
left=%defaultroute
leftsourceip=%config4
leftauth=pubkey
leftid=%indra@XXXX
leftprotoport=gre
leftupdown=/config/ipsec/ESJP-updown.sh
right=XXXX
rightsubnet=XXXX
rightauth=pubkey
rightid=%jXXXX
rightcert=/etc/ipsec.d/certs/XXXX.crt
rightprotoport=gre
#!/bin/bash
set -o nounset
set -o errexit
TUN_IFACE="tun2"
case "${PLUTO_VERB}" in
up-host)
echo "Putting interface ${TUN_IFACE} up"
ifconfig $TUN_IFACE up
echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}"
sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1"
echo "Accepting gre keepalive"
sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1"
;;
down-host)
ifconfig $TUN_IFACE down
;;
esac
IKE is checked with DPD
SA is checked with te script
above also a cron script acting in this way:
#!/bin/bash
ROUTER_IP=XXXX
IPSEC="XXXX"
GRE="tun2"
PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1)
ALIVE="alive"
STATUS=$(ipsec status $IPSEC)
ESTABLISED="INSTALLED"
if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then
if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then
ipsec stroke down-nb $IPSEC
ipsec up $IPSEC
else
ipsec up $IPSEC
fi
fi
In the OpenBSD side:
set dpd_check_interval 15
ikev2 "XXXX" passive transport \
proto gre \
from XXXX to XXXX\
local jXXXXpeer any \
ikesa uth hmac-sha2-256 enc aes-256 group ecp256 \
childsa auth hmac-sha2-256 enc aes-256 group ecp256 \
srcid "shiva@XXXX" \
ikelifetime 86400 lifetime 3600
root@shiva:/etc# cat hostname.gre1
description "XXXX"
keepalive 5 2
mtu 1392
!ifconfig gre1 XXXX4 XXXX netmask 0xfffffffc up
!ifconfig gre1 tunnel XXXX XXXX
root@shiva:/etc#
And some ifstated to check keepalive status.
Any suggestions?
--
Name: Riccardo Giuntoli
Email: tag...@gmail.com
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
