[Openswan Users] ike keepalives

Marco Berizzi pupilla at hotmail.com
Wed Jul 26 17:11:56 CEST 2006 

Hello everybody.
I have a tunnel between the two private networks implemented
by the two linux system: lnxA & lnxB: this tunnel delivery
traffic from network priv-net-A to priv-net-B and viceversa.
The two endpoints ip addresses are pub-ip-A for priv-net-A
and pub-ip-B for priv-net-B. This is the "GOOD" & working 24x7
tunnel.

priv-net-A--|lnxA|--pub-ip-A**internet**pub-ip-B--|lnxB|--priv-net-B
             +---------------GOOD ipsec tunnel----------------+

User's notebook (roadwarriors) are configured that they may
connect to priv-net-A and priv-net-B from the internet via
IPsec. So I specified this configuration for every notebook:

network to reach: priv-net-B
ipsec remote endpoint: pub-ip-B
ipsec me endpoint: any_ip_address

network to reach: priv-net-A
ipsec remote endpoint: pub-ip-A
ipsec me endpoint: any_ip_address

Users connect to the internet, gain a dynamic ip address,
double click the ipsec icon on the desktop and the notebook
establish two ipsec tunnel:

any_ip_address--**internet**pub-ip-B--|lnxB|--priv-net-B
any_ip_address--**internet**pub-ip-A--|lnxA|--priv-net-A

Now I will try to explain what has been happened some time
ago. One of our roadwarrior has connected his notebook to
priv-net-B and he double clicked the ipsec icon (because he
didn't know that exists the "GOOD" tunnel), so his notebook
has tried to establish the ipsec tunnel to priv-net-A
This the diagram:

notebook(172.16.1.227)--|lnxB snat to
pub-ip-B|--**internet**pub-ip-A--|lnxA|--priv-net-A

The notebook has taken an ip address from the priv-net-B
subnet (172.16.1.227).

1) IKE's notebook daemon send a packet to pub-ip-A:
src=172.16.1.227 sport=500 dst=pub-ip-A dport=500
2) our firewall, lnxB (which is also the ipsec endpoint for
the "GOOD" tunnel) snat the IKE packet from the notebook with
pub-ip-B address (which is also the same ipsec endpoint
address for the "GOOD" tunnel): src=pub-ip-B sport=500
dst=pub-ip-A dport=500
3) lnxB put this entry in proc/net/ip_conntrack:
udp      17 169 src=172.16.1.227 dst=pub-ip-A sport=500
dport=500 packets=51 bytes=9264 src=pub-ip-A
dst=pub-ip-B sport=500 dport=500  packets=77 bytes=29760
[ASSURED] mark=0 use=1
4) lnxA (ipsec gateway) receive the IKE packet. It comes from
pub-ip-B. IKE daemon on lnxA doesn't like that packet
because the id is wrong: it expect the id from the lnxB ipsec
gateway not that from the notebook, it will drop it.
5) lnxA need to renegotiate the "GOOD" tunnel so it send an
IKE packet to pub-ip-B
6) lnxB receive the IKE packet which is for itself but it
forwards to the evil notebook.
7) after a while the "GOOD" tunnel goes down...

Point n°3 is where the error has been occured. NAT shouldn't
NAT to port numbers that are already used, which means that
"GOOD" tunnel connection timed out from the netfilter/conntrack
point of view (IIRC it should be ten minutes).
I would like to know if there is a way to set openswan to
send some kind of IKE keepalives packets to prevent this from
happening.

More information about the Users mailing list