8384 questions

9850 answers

15651 comments

14099 members

0 votes
115 views 0 comments
by

hello. I connected site to site ikev2 ipsec tonnel from RUTXR1 to Fortigate. 

RUTXR1 behind NAT. 

Fortigate with Public IP. 

Tunnel comes up ok, traffic pass ok. 

But when on Fortigate I press button "Bring Down all Phase 2 Selectors" tunnel never (i mean in 5-10 min time) comes up. 

Also, if Phase2 goes down due to inactivity period, result are the same. Tunnel does not came up.

Is it a bug or feature? 

I tested ike1 Aggressive version, tried v6 and v7 firmware for RUTX1. But tunnel does not recover from remote end disconnect.

Tunnel working OK:

root@Teltonika-RUTXR1:~# ipsec statusall

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.195, armv7l):

Connections:

FG_S2S-FG_S2S_c:  %any...tun.domain.lv  IKEv2, dpddelay=30s

FG_S2S-FG_S2S_c:   local:  [SITEb] uses pre-shared key authentication

FG_S2S-FG_S2S_c:   remote: [zzz.domain.lv] uses pre-shared key authentication

FG_S2S-FG_S2S_c:   child:  192.168.71.0/24 === 10.10.x.0/24 10.10.y.0/24 TUNNEL, dpdaction=clear

Security Associations (1 up, 0 connecting):

FG_S2S-FG_S2S_c[1]: ESTABLISHED 2 minutes ago, 10.168.101.30[SITE1]...159.148.zzz.yyy[zzz.domain.lv]

FG_S2S-FG_S2S_c[1]: IKEv2 SPIs: 11037e77285919d6_i* b0229b09c1df024b_r, pre-shared key reauthentication in 23 hours

FG_S2S-FG_S2S_c[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

FG_S2S-FG_S2S_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cdf567da_i 63817f3a_o

FG_S2S-FG_S2S_c{1}:  AES_CBC_128/HMAC_SHA1_96, 9924 bytes_i (161 pkts, 0s ago), 9948 bytes_o (161 pkts, 0s ago), rekeying in 11 hours

FG_S2S-FG_S2S_c{1}:   192.168.71.0/24 === 10.10.x.0/24 10.10.y.0/24

After Fortigate drops Phase 2 Selectors:

root@Teltonika-RUTXR1:~# ipsec statusall

Connections:

FG_S2S-FG_S2S_c:  %any...zzz.domain.lv  IKEv2, dpddelay=30s

FG_S2S-FG_S2S_c:   local:  [SITEb] uses pre-shared key authentication

FG_S2S-FG_S2S_c:   remote: [zzz.domain.lv] uses pre-shared key authentication

FG_S2S-FG_S2S_c:   child:  192.168.71.0/24 === 10.10.x.0/24 10.10.y.0/24 TUNNEL, dpdaction=clear

Security Associations (1 up, 0 connecting):

FG_S2S-FG_S2S_c[1]: ESTABLISHED 2 minutes ago, 10.168.101.30[SITE1]...159.148.zzz.yyy[zzz.domain.lv]

FG_S2S-FG_S2S_c[1]: IKEv2 SPIs: 11037e77285919d6_i* b0229b09c1df024b_r, pre-shared key reauthentication in 23 hours

FG_S2S-FG_S2S_c[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

1 Answer

0 votes
by

So, one day later, and answer was found.

Strongswan ipsec.conf option "auto"

In short, creating VPN tunnel, you need select Mode=Route.

By default Mode=Start. 

It's worth noting that auto=start will not re-establish the tunnel if it is shut down. This can cause issues where the tunnel will come up perfectly when you restart your server (or restart ipsec), but then fail some time later - usually due to to an inactivity timer set by the other party. On the other hand, if you set auto=route, then strongswan will ensure that the tunnel is up everytime it sees interesting traffic.

Best answer