0

We have configured VPN connection from Zabix Server to server name deluxe with the connection named "Zabbix-to-Deluxe"

Please find the configuration as below conn Zabbix-to-vyatta type=tunnel keyexchange=ikev2 authby=secret left=x.x.x.x leftsubnet=x.x.x.x/26 right=x.x.x.x rightsubnet=x.x.x.x/26 ike=aes256-sha2_384-modp1536! esp=aes256-sha2_384! aggressive=no keyingtries=%forever ikelifetime=28800s dpddelay=30s dpdtimeout=14400s dpdaction=clear auto=start reauth = no rekey = yes lifetime = 24h inactivity = 23h dpdaction = restart

conn Zabbix-to-Deluxe also=Zabbix-to-vyatta rightsubnet=x.x.x.x/26,x.x.x.x/28 auto=start

NOTE :

IP's are denoted by x.x.x.x due to security reasons

Please find the logs for what must have gone wrong .

Please help as we are getting alerts triggered as soon as the CHILD_SA is stopped.So we are temporarily restartign the strongswan service each time and the issue goes away for sometime and again the zabbix alerts are generated as soon as CHILD_SA fails.

Please help us understand and resolve this issue

Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 05[ENC] generating INFORMATIONAL response 40 [ D ] Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (88 bytes) Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (232 bytes) Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 06[ENC] parsed CREATE_CHILD_SA request 41 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No TSi TSr ] Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 06[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 06[IKE] inbound CHILD_SA Zabbix-to-Deluxe{34} established with SPIs cf1fd705_i cf9cda04_o and TS x.x.x.x/26 === x.x.x.x/28 Oct 9 03:13:13 mdm-delux-mgmt01 charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 06[ENC] generating CREATE_CHILD_SA response 41 [ SA No TSi TSr ] Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 06[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (216 bytes) Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (88 bytes) Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[ENC] parsed INFORMATIONAL request 42 [ D ] Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[IKE] received DELETE for ESP CHILD_SA with SPI c10100ee Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[IKE] closing CHILD_SA Zabbix-to-Deluxe{28} with SPIs cb6d6584_i (0 bytes) c10100ee_o (0 bytes) and TS x.x.x.x/26 === 169.48.131.32/28 Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[IKE] sending DELETE for ESP CHILD_SA with SPI cb6d6584 Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[IKE] **CHILD_SA closed** Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[IKE] outbound CHILD_SA Zabbix-to-Deluxe{34} established with SPIs cf1fd705_i cf9cda04_o and TS x.x.x.x/26 === x.x.x.x/28 Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[ENC] generating INFORMATIONAL response 42 [ D ] Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 07[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (88 bytes) Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 08[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (232 bytes) Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 08[ENC] parsed CREATE_CHILD_SA request 43 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No TSi TSr ] Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 9 03:13:13 mdm-delux-mgmt01 strongswan: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT
Improve this question

1 Answer 1

Reset to default
0

There is insufficient information provided to definitively identify this problem.

From the strongswan logs, the remote side is tearing down the phase 2 IPSEC connection "CHILD_SA" and asking the Zabbix strongswan to delete it. Then a new CHILD_SA is established initiated from Zabbix strongswan.

Then sometime later that CHILD_SA is torn down again. (Not in logs).

Why the tearing down, re-establishing and what happens later is unclear. The relevant log entries have not been provided.

A guess would be the IPSEC Phase 2 rekeying triggering the CHILD_SA deletion and no action to restart on close.

An investigation would need the following information at a minimum:

  • Environment clearly detailed.
    • Include a network diagram
    • Identify any and all firewalls in the path (Server & Network)
    • Who initiates the IPSEC connection or is it bi-initiation
  • Confirm use of strongswan or swanctl on Zabbix server.
  • All software and firmware versions involved.
  • Strongswan logs from establishment to teardown.
  • The vyatta ipsec debug logs from establishment to teardown.
  • The Zabbix trigger being tripped (understand what it is looking for).
  • The full time sequence of all steps involved.
  • The full vyatta IPSEC configuration (minus privileged info)
  • The full strongswan configuration (minus privilege info)

Once you have gathered the above information, there should be sufficient evidence to help you identify the cause of your problem.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.