Project

General

Profile

Bug #10632

Incorrect swanctl.conf syntax from Child SA Close Action

Added by Jonathan Grande 5 months ago. Updated 19 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
06/04/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
amd64

Description

I was trying the latest pfsense build (2.5.0.a.20200603.1253) when I ran across a snag with IPsec. If you set an IPsec phase 1 "Child SA Close Action" to "Close connection and reconnect on demand", the generated swanctl.conf file has "close_action = hold" instead of "close_action = trap", which prevents strongswan from loading the connection. If I change it to something else like no action, it works. I believe this is related to todo # 9603 (Strongswan stroke is deprecated, move to swanctl/vici).

Here's the logs and relevent section of /var/etc/ipsec/swanctl.conf:

Jun 4 01:11:15    charon    79811    12[NET] <1> received packet: from x.x.x.x[500] to y.y.y.y[500] (232 bytes)
Jun 4 01:11:15    charon    79811    12[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 4 01:11:15    charon    79811    12[CFG] <1> looking for an IKEv2 config for y.y.y.y...x.x.x.x
Jun 4 01:11:15    charon    79811    12[IKE] <1> no IKE config found for y.y.y.y...x.x.x.x, sending NO_PROPOSAL_CHOSEN
Jun 4 01:11:15    charon    79811    12[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 4 01:11:15    charon    79811    12[NET] <1> sending packet: from y.y.y.y[500] to x.x.x.x[500] (36 bytes)
Jun 4 01:11:15    charon    79811    12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => DESTROYING

children {
            con2000 {
                close_action = hold
                dpd_action = restart
                mode = tunnel
                policies = yes
                life_time = 10800
                start_action = trap
                remote_ts = 192.168.1.0/24
                local_ts = 192.168.2.0/24
                esp_proposals = aes128gcm128-curve25519
            }
        }

Associated revisions

Revision 31a6bd5e (diff)
Added by Jim Pingle 5 months ago

Use close_action=trap, not hold. Fixes #10632

Revision 21568e75 (diff)
Added by Jim Pingle 4 months ago

More complete IPsec close_action conversion. Fixes #10632

History

#1 Updated by Jonathan Grande 5 months ago

To duplicate this issue, all I think you need to do is change a working IKEv2 connection "Child SA Close Action" to "Close connection and reconnect on demand" and fully restart the tunnel (ie - disable and enable it). I've also copied the config to the remote end (Ubuntu 20.04 server), swapped local and remote settings, and it throws an error when reloading the config, complaining about the "close_action = hold line".

I can provide more logs or the full config if needed.

#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

You are right, that did change:

https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf

In the old format it was "hold" and in the new format it is "trap". Will need to adjust the option and add upgrade code to account for the different value.

#3 Updated by Jim Pingle 5 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#4 Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to In Progress

This is still not 100% right.

Old New
none none
restart start
clear none
hold trap

The last one was fixed, but not the others. The "clear" action is now the same as "none" so it can go away and have its description combined. "restart" still needs changed to "start"

#5 Updated by Jim Pingle 4 months ago

  • Status changed from In Progress to Feedback

#6 Updated by Steve Beaver 19 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF