strongswan 4.5.2 on vyatta + Win7 client = random disconnects

psycroptic · 06-16-2014, 01:40 PM

so i've finally got an x509 VPN setup on a vyatta-based router, using strongswan v4.5.2. i can successfully connect & transfer large amounts of traffic over the VPN, but at some point i randomly get disconnected; it appears that key renegotiation is failing. there doesn't seem to be a pattern to it; it can stay up for half a day & transfer 10 gigabytes worth before it crashes, or it can stay up for 20 minutes with little traffic before a disconnect. after i get disconnected, i have to restart strongswan before i can connect again.

/etc/ipsec.conf

Code:

# generated by /opt/vyatta/sbin/vpn-config.pl

version 2.0

config setup
        charonstart=no
        interfaces="%none"
        nat_traversal=yes
        virtual_private="%v4:0.0.0.0/0"

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn %default
        keyexchange=ikev1

### Vyatta L2TP VPN Begin ###
include /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN End ###

/etc/ipsec.d/tunnels/remote-access

Code:

### Vyatta L2TP VPN Begin ###
conn remote-access-win-aaa
  rightprotoport=17/1701
  also=remote-access

conn remote-access-mac-zzz
  rightprotoport=17/%any
  also=remote-access

conn remote-access
  authby=rsasig
  leftrsasigkey=%cert
  rightrsasigkey=%cert
  rightca=%same
  leftcert=/etc/ipsec.d/certs/Gateway.crt
  pfs=no
  left=xx.xx.xx.xx
  leftprotoport=17/1701
  right=%any
  rightsubnet=vhost:%no,%priv
  auto=add
  ike=aes256-sha1,3des-sha1!
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  esp=aes256-sha1,3des-sha1!
  rekey=no
  ikelifetime=3600
### Vyatta L2TP VPN End ###

here is server log during a disconnect

Code:

Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag
Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: responding to Quick Mode
Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: cannot install eroute -- it is in use for "remote-access-mac-zzz"[193] y.y.y.y:4500 #193
Jun 16 12:59:36 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:36 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
Jun 16 12:59:38 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:38 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
Jun 16 12:59:42 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:42 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
Jun 16 12:59:50 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:50 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
 Quick Mode I1 message is unacceptable because it uses a previously used Message ID

those "previously used message IDs" seem to be part of the problem, but as usual, google turns up next to nothing useful, only that other people have had this problem, with no solution.

kentyler · 07-09-2014, 04:59 PM

It looks like the connection may have dropped but the server still sees it as up and it's in use.

Try specifying one of the closeaction options:

closeaction = none | clear | hold | restart

defines the action to take if the remote peer unexpectedly closes a CHILD_SA (IKEv2 only, see dpdaction for
meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids checking,
as these events might trigger the defined action when not desired.

Seeing this:
cannot install eroute -- it is in use for "remote-access-mac-zzz"[193] y.y.y.y:4500 #193

makes me think if you did an ipsec auto --status the server would show the connection erouted when it's disconnected.

psycroptic · 07-13-2014, 03:48 PM

but closeaction is only for IKEv2, and i'm using IKEv1.... in any case, i'm virtually certain the actual link between the client and server isn't dropping, as i've been testing locally, with the client and server separate by just an ethernet cable, and i get the same connection drops.

the device is a Ubiquiti EdgeRouter Lite, which only supports running strongswan with pluto/IKEv1

psycroptic · 12-29-2014, 09:53 PM

sorry to necropost but, i'm still having the same problem & never got any kind of resolution here. anyone?????