0

I'm using strongswan to connect to a MAC server using IKEv2/IPsec configuration. The server uses the proposed algorithms to establish the SA and everything works great. Upon rekeying however, the server denies the proposed algorithms and reverts to a simple IKE exchange and establishes an SA. I've read about twenty RFC's as well as numerous other documents to establish this connection over the past three weeks. I'm no network engineer, (just a butcher) and I am slowly learning the ropes. What have I done wrong? Have I proposed the wrong algorithms? I used the connection log to read what algorithms the server expected to establish and rekey. I was recently having trouble with it not rekeying at all. I fixed that, but now this. The log states "ESP not found for rekey". Any help is greatly appreciated!``

Edit: I found this, but still need more information. As I know what it means, but not what to do :/.

"IKE rekeying refreshes key material using a Diffie-Hellman exchange, but does not re-check associated credentials. It is supported in IKEv2 only."

Do I need to change my algorithms to an exact DH exchange? Or configure the rekeying itself? An if so, what protocols? Or configure for a recheck of credentials? I'm still researching.

Edit #2 Upon doing some research on this subject, I've read that NATT can cause many issues with the rekeying of a tunnel. I personally have no control over this, as you probably know. Is my ISP causing this to happen, possibly to make a VPN useless, or just difficult? I'm currently researching my options, but any input at all is welcomed. Thanks.

ToxicTech
  • 1
  • 4
  • It's difficult to help you without a complete log of the session (showing the initial connection and the attempted rekeying). But a DH group mismatch could certainly be a problem (not for IKE rekeying but for CHILD_SA/ESP rekeying), so your config would also be helpful. – ecdsa Feb 26 '20 at 09:06
  • But, correct me if I'm wrong, wouldn't I have to change everything included in my configuration and servers? After displaying my encryptions, IP, and server information? Isn't the point of security to keep these type if things out of others hands? Plz elaborate. – ToxicTech Feb 26 '20 at 09:10
  • Can it be done privately? – ToxicTech Feb 26 '20 at 09:11
  • Unless you configure a log level of 4 in strongSwan, no secrets are logged. If you want to keep your IP addresses and identities private, replace them with unique placeholders (e.g. use SERVER_IP for the server's IP). Likewise for the config. – ecdsa Feb 26 '20 at 09:14
  • Understood. Give me a bit to work on it and I'll post as soon as I can. What about SPI's and requests from the server on protocols? Are those necessary to complete the objective? I guess what I'm asking is what info should I not edit? – ToxicTech Feb 26 '20 at 09:19
  • SPIs are random and could be important to see which SAs are affected, not sure what you mean with "requests from the server on protocols". But try to edit as little as possible. – ecdsa Feb 26 '20 at 09:33
  • After spending all my free time editing the log, converting the files, removing the metadata, and sending all over the country I came to post them and realized I need stupid reputation points to add photos!! Know a workaround? Or can I add files to my post? I can easily convert them to any format to post. That's my first idea :/ – ToxicTech Feb 26 '20 at 23:24
  • Not sure if there is a length limit for the question, but you could just add it there (paste the text, select it and use CTRL-K to indent it by four spaces so it is rendered as preformatted code block). – ecdsa Feb 27 '20 at 08:41

0 Answers0