Bug #10632
closed
Incorrect swanctl.conf syntax from Child SA Close Action
100%
Description
I was trying the latest pfsense build (2.5.0.a.20200603.1253) when I ran across a snag with IPsec. If you set an IPsec phase 1 "Child SA Close Action" to "Close connection and reconnect on demand", the generated swanctl.conf file has "close_action = hold" instead of "close_action = trap", which prevents strongswan from loading the connection. If I change it to something else like no action, it works. I believe this is related to todo # 9603 (Strongswan stroke is deprecated, move to swanctl/vici).
Here's the logs and relevent section of /var/etc/ipsec/swanctl.conf:
Jun 4 01:11:15 charon 79811 12[NET] <1> received packet: from x.x.x.x[500] to y.y.y.y[500] (232 bytes)
Jun 4 01:11:15 charon 79811 12[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 4 01:11:15 charon 79811 12[CFG] <1> looking for an IKEv2 config for y.y.y.y...x.x.x.x
Jun 4 01:11:15 charon 79811 12[IKE] <1> no IKE config found for y.y.y.y...x.x.x.x, sending NO_PROPOSAL_CHOSEN
Jun 4 01:11:15 charon 79811 12[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 4 01:11:15 charon 79811 12[NET] <1> sending packet: from y.y.y.y[500] to x.x.x.x[500] (36 bytes)
Jun 4 01:11:15 charon 79811 12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
children {
con2000 {
close_action = hold
dpd_action = restart
mode = tunnel
policies = yes
life_time = 10800
start_action = trap
remote_ts = 192.168.1.0/24
local_ts = 192.168.2.0/24
esp_proposals = aes128gcm128-curve25519
}
}
Updated by Jonathan Grande almost 4 years ago
To duplicate this issue, all I think you need to do is change a working IKEv2 connection "Child SA Close Action" to "Close connection and reconnect on demand" and fully restart the tunnel (ie - disable and enable it). I've also copied the config to the remote end (Ubuntu 20.04 server), swapped local and remote settings, and it throws an error when reloading the config, complaining about the "close_action = hold line".
I can provide more logs or the full config if needed.
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
- Target version set to 2.5.0
You are right, that did change:
https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf
In the old format it was "hold" and in the new format it is "trap". Will need to adjust the option and add upgrade code to account for the different value.
Updated by Jim Pingle almost 4 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 31a6bd5e8fb5984e4e8a5a89126b7206f92fde5d.
Updated by Jim Pingle almost 4 years ago
- Status changed from Feedback to In Progress
This is still not 100% right.
| Old | New |
|---|---|
none |
none |
restart |
start |
clear |
none |
hold |
trap |
The last one was fixed, but not the others. The "clear" action is now the same as "none" so it can go away and have its description combined. "restart" still needs changed to "start"
Updated by Jim Pingle almost 4 years ago
- Status changed from In Progress to Feedback
Applied in changeset 21568e753abb092747fddeeda41a9952827b06d1.
Updated by Anonymous