strongswan configuration and traffic on tunnel problem IKEv2

Question

im new in this scope. I tried to configure strongswan site-to-site with centos7 (different region) at google cloud platform. Ive done follow this guide:

1. https://blog.ruanbekker.com/blog/2018/02/11/setup-a-site-to-site-ipsec-vpn-with-strongswan-and-preshared-key-authentication/
2. https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-centos-rhel-8/
3. https://medium.com/@georgeswizzalonge/how-to-setup-a-site-to-site-vpn-connection-with-strongswan-32d4ed034ae2

This ipsec.conf comes from site A:

config setup
     charondebug="all"
     strictcrlpolicy=no
     uniqueids = yes

conn sg-to-jkt
    authby=secret
    left=%defaultroute
    leftid=34.xx.xx.xxx
    leftsubnet=10.xxx.x.xx/24
    right=34.xxx.xxx.xxx
    rightsubnet=10.xxx.x.x/24
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

ipsec.secrets file site A:

site-A site-B : PSK "someencryptedkey"

This ipsec.conf site B:

config setup
         charondebug="all"
         strictcrlpolicy=no
         uniqueids = yes

conn jkt-to-sg
        authby=secret
        left=%defaultroute
        leftid=34.xxx.xxx.xxx
        leftsubnet=10.xxx.x.x/24
        right=34.xx.xx.xxx
        rightsubnet=10.xxx.x.xx/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start

ipsec.secret file site B:

site-B site-A : PSK "someencryptedkey"

My questions are:

1. Why everytime i used to restart the strongswan (strongswan restart), the strongswan service (systemctl status strongswan) becomes dead/inactive? (note: strongswan tunnel is still up)

    ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Sun 2020-10-11 16:37:06 UTC; 32min ago
   

2. No traffic in the ESP protocol, tcpdump esp not display anything but the strongswan tunnel is up. I realized that the status give different result from the example. The result return ESP in UDP SPIs instead of ESP SPIs. Is there any different or anything else?

thank you for your help and advices

Answer 1

You maigh check your Systemd service file strongswan.service and change the Type= option.

By default you should have Type=simple and it works for many Systemd service files, but it does not work when the script in ExecStart launches another process and completes, please consider to change to explicitly specify Type=forking in the [Service] section so that Systemd knows to look at the spawned process rather than the initial one.

From man systemd.service:

If set to forking, it is expected that the process configured with ExecStart= will call fork() as part of its start-up. The parent process is expected to exit when start-up is complete and all communication channels are set up. The child continues to run as the main daemon process. This is the behavior of traditional UNIX daemons. If this setting is used, it is recommended to also use the PIDFile= option, so that systemd can identify the main process of the daemon. systemd will proceed with starting follow-up units as soon as the parent process exits.

Additionally, I have found another thread in StrackOverflow with a similar issue.

But please see man systemd.service for an appropriate type.

For your second question you might check your firewall, I found another similar case in this link