Hello,
I can confirm that the IKEv2 connection was alive for the entire night
of testing:
000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27522s;
newest; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 6s;
EXPIRE in 28536s; newest; eroute owner; IKE SA #80; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 [email protected]
[email protected] [email protected] [email protected]
Traffic: ESPin=1MB ESPout=41MB ESPmax=0B
Less than 10 seconds from initiating IKEv2 connection from the Android
tablet (Samsung Galaxy Tab S6 Lite), the connection was severed. But
both ends still think it is connected:
000 #80: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 27299s; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28313s;
IKE SA #80; idle;
000 #81: "MYCONN-ikev2-cp"[2] 94.253.210.164 [email protected]
[email protected] [email protected] [email protected]
Traffic: ESPin=2MB ESPout=105MB ESPmax=0B
000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28745s;
newest; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 5s;
EXPIRE in 28745s; newest; eroute owner; IKE SA #83; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 [email protected]
[email protected] [email protected] [email protected]
Traffic: ESPin=145KB ESPout=10MB ESPmax=0B
Now I tested ping 8.8.8.8 and it is also down, while
whatismyipaddress.com shows that the Android tablet is connected. :-/
The session log is here (only the interesting event, not the entire
night of testing): https://domac.alu.hr/mtodorov/ikev2-20220113-03.log
After I reconnected Windows 10, the Android device appears kicked out ...
But it isn't shown in `ipsec showstates`, as it still believes it has
connection on both devices:
000 #83: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28290s; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164:46855
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28290s;
IKE SA #83; idle;
000 #84: "MYCONN-ikev2-cp"[2] 94.253.210.164 [email protected]
[email protected] [email protected] [email protected]
Traffic: ESPin=864KB ESPout=12MB ESPmax=0B
000 #86: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28667s;
newest; idle;
000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164:4500
STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); LIVENESS in 17s;
EXPIRE in 28667s; newest; eroute owner; IKE SA #86; idle;
000 #87: "MYCONN-ikev2-cp"[2] 94.253.210.164 [email protected]
[email protected] [email protected] [email protected]
Traffic: ESPin=2MB ESPout=9MB ESPmax=0B
On average, we will have only one user on the VPN for the most times,
but two accountants could accidentally kick out each other, couldn't they?
I hope any of this helps.
BTW, Android L2TP connection tested with 4.5 USE_DH2=true did not
connect from Android, while it did from Windows 10. I would like to have
them all running stable and symmetrically.
Kind regards,
Mirsad Todorovac
On 1/13/2022 11:36 PM, Mirsad Goran Todorovac wrote:
Hello,
I tried to summarize in the title, and so far I have been able to
associate the teardown of Windows 10 data stream with a simultaneous
IKEv2 connection that came during the test signal (live TV stream)
from an Android tablet on our test Linux server.
The Windows laptop had no realtime stream and neither DNS resolution.
I did not check ping, but I suspect it wouldn't pass either by the
symptoms.
This time I compiled without the USE_DH2=true and used it with
ms-dh-downgrade=true.
conn MYCONN-ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.235.3
leftcert=vpn.alu.hr
[email protected]
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if
providing full internet to clients
rightaddresspool=192.168.101.10-192.168.101.253
# optional rightid with restrictions
rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=8.8.8.8,192.168.100.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
#
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement
bandwidth quota
# pam-authorize=yes
ms-dh-downgrade=yes
authby=rsa-sha1
Both the `ipsec showstates` and Windows 10 did not reflect that the
data stream was interrupted, and eithe had Android.
Here is the session log 1 and log2.
The interesting part is probably close to the end of both logs.
[1] https://domac.alu.hr/mtodorov/ikev2-20220113-01.log
[2] https://domac.alu.hr/mtodorov/ikev2-20220113-02.log
I will supply more information as I am testing. I wonder if this is
related to removal of USE_DH2=true from the compilation or will the
connection be stable unless there is an interference from another
(Android) client. The Android had also lost connectivity, though the
wizard said "Connected".
Hope this helps. I would have to revert to 4.5 and USE_DH2=true and I
don't think it would be prudent to move it to the production VPN until
we resolve such issues :-/
The accountant guy would think I'm incompetent if his VPN connection
breaks in the middle of accounting salaries :-(
Any idea?
Kind regards,
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
