The server serves only incoming VPN requests, it is for mobile road-warriors. And the error does not occur right after starting a strongswan or bringing tunnels up. So it makes no sense to run it with auto=add or not.
Strongswan is serving clients ok. It is working for a long time until a first DENIAL. It looks like it is somehow related to reauthentication of xauth iOS client, but I can't reproduce it. Sometimes client can reauth ok, as I can see at logs, but sometimes right after successful reauth I see this error. There are about 5 active clients right now with 20-30 connections per/day, and server gives me an error once/twice per day. I would not even note it, if it'd not break accounting at radius.
If ipsec runs at debug mode at console (--nofork) I don't get this error.
$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
The server serves only incoming VPN requests, it is for mobile road-warriors. And the error does not occur right after starting a strongswan or bringing tunnels up. So it makes no sense to run it with auto=add or not.
Strongswan is serving clients ok. It is working for a long time until a first DENIAL. It looks like it is somehow related to reauthentication of xauth iOS client, but I can't reproduce it. Sometimes client can reauth ok, as I can see at logs, but sometimes right after successful reauth I see this error. There are about 5 active clients right now with 20-30 connections per/day, and server gives me an error once/twice per day. I would not even note it, if it'd not break accounting at radius.
If ipsec runs at debug mode at console (--nofork) I don't get this error.
$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
: RSA vpn.server.name.pem
vpn.server.name : PSK "simpletestpsk"
$ sudo cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup y=yes
strictcrlpolic
# uniqueids = no
# default options
conn %default
ikelifetime= 60m
rekeymargin= 3m
keyingtries= 1
keylife=20m
inactivity = 60s
dpdaction = clear
dpdtimeout = 5s
dpddelay = 5s
# Add connections here.
conn ikev1-psk-xauth
leftsubnet= 0.0.0.0/ 0
leftfirewall= yes
leftauth= psk
rightsourceip= 10.0.0. 0/9
rightauth= psk
rightauth2= xauth-eap
<email address hidden>
right=%any
auto=add
conn ikev2-with-eap
keyexchange= ikev2
leftsubnet= 0.0.0.0/ 0
leftfirewall= yes
leftid= "C=US, O=Server.name.co, OU=VPN Dept, CN=vpn.server.name, <email address hidden>"
leftauth= pubkey
leftcert= vpn.server. name.pem
rightsourceip= 10.0.0. 0/16
rightsendcert= never
rightauth= eap-radius
eap_identity= %identity
right=%any
auto=add
$ sudo cat /etc/strongswan .conf
# strongswan.conf - strongSwan configuration file
charon { d/charon/ *.conf
load_modular = yes
plugins {
include strongswan.
}
dns1 = 8.8.8.8
}
include strongswan.d/*.conf
$ sudo cat /etc/strongswan .d/charon. conf | grep -v '^[[:space:]]*#'| grep .
priority_ threads {
charon {
crypto_test {
}
host_resolver {
}
leak_detective {
}
processor {
}
}
tls {
}
x509 {
}
}
$ sudo cat /etc/strongswan .d/charon/ xauth-eap. conf | grep -v '^[[:space:]]*#'| grep .
xauth-eap {
backend = radius
load = yes
}
$ sudo cat /etc/strongswan .d/charon/ eap-radius. conf | grep -v '^[[:space:]]*#'| grep .
eap-radius {
accounting = yes
load = yes
port = 1812
secret = secret
server = 127.0.0.1
sockets = 1000
dae {
enable = yes
listen = 0.0.0.0
port = 3799
secret = dae_secret
}
forward {
}
servers {
}
xauth {
}
}