Friday, December 7, 2018

Issue with create_child_sa job (first ikev2 "p2" rekey) from strongswan to fortigate and check point firewalls

Hi,

I've been trying to get rekey working between check point R80.10 and a mobile router running strongswan 5.5.3 for quite some time. I'm getting stuck on the first rekey which sometimes causes a few minutes of pause in traffic.

I later noticed i was having similar issues with a completely different setup with strongswan - a linux server running strongswan 5.5.1 and to a fortigate running 6.0.3, took pcaps on the fortigate and noticed that it also seems to not respond to the create_child_sa rekeys coming from strongswan.

I changed the rekey margin on the strongswan, and this seems to change the balance so that there is no break/a short break in traffic. It seems that in case they end up in this rekey situation where the strongswan sends create_child_sa jobs which seemingly time out on both peers (no error message is sent from the responder firewalls) the only thing that fixes it is a reinitiation of the connection.

It also seems that if i try to match the timers on both peers for the child_SA rekey the break in traffic might be short/nonexistent but this seems to only mask the underlying issue. Another option to work around this might be to try and make the child_SA rekey be initiated by the firewalls, but optimally I'd like to know what causes the job to time out.

I've also made a ticket to check point of the issue, and taken debug logs. The only thing i can decipher is that i see the job coming in, and that it times out. In pcaps I can see that the firewalls dont respond to the create_child_sa.

I've examined these create_child_sa packets and at least the selectors (tsr & tsi) seem to be what they should and the proposal is the same,

I'm maybe inclined to believe something changed on the firewall sides in more recent releases that has broken something. In particular I'm wondering about ikev2 reauthentication which seems to be a somewhat fuzzy concept and that maybe the firewalls are "requiring" a reauthentication without properly signalling it or making the strongswan understand, but then I'm not really seeing any SA deletes coming from the firewalls either.

Has anyone encountered silent failures/timeouts of create_child_sa jobs from strongswan -> firewalls?



No comments:

Post a Comment