Hi ,<br> I formed a site-site tunnel between strongswan and Cisco.<br><br>R1 ============== R2.<br><br>After some time, Strongswan is deleting IKE_SA without sending any notification, which <br>results in rekeying failure with peer. Please find the logs below<br>
<b><br>Logs</b><br>+++++++++++++++++<br><br>Jun 28 13:00:52 uxcasxxx charon: 12[IKE] 172.31.114.211 is initiating an IKE_SA<br>Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<br>
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<br>Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=IN, ST=TN, L=CH, O=CAS, E=<a href="mailto:saravanan@strongswan.org">saravanan@strongswan.org</a>"<br>
Jun 28 13:00:52 uxcasxxx charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>Jun 28 13:00:52 uxcasxxx charon: 12[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>
Jun 28 13:00:52 uxcasxxx charon: 14[NET] received packet: from 172.31.114.211[500] to 172.31.114.227[500]<br>Jun 28 13:00:52 uxcasxxx charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]<br>Jun 28 13:00:52 uxcasxxx charon: 14[CFG] looking for peer configs matching 172.31.114.227[%any]...172.31.114.211[<a href="mailto:cross@cas.com">cross@cas.com</a>]<br>
Jun 28 13:00:52 uxcasxxx charon: 14[CFG] selected peer config 'fqdn_vr'<br>Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of '<a href="mailto:cross@cas.com">cross@cas.com</a>' with pre-shared key successful<br>
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of '172.31.114.227' (myself) with pre-shared key<br>Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting duplicate IKE_SA for peer '<a href="mailto:cross@cas.com">cross@cas.com</a>' due to uniqueness policy<br>
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting IKE_SA fqdn_vr[3] between 172.31.114.227[172.31.114.227]...172.31.114.211[<a href="mailto:cross@cas.com">cross@cas.com</a>]<br>Jun 28 13:00:52 uxcasxxx charon: 14[IKE] sending DELETE for IKE_SA fqdn_vr[3]<br>
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating INFORMATIONAL request 0 [ D ]<br>Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br><b style="color:rgb(255,0,0)">Jun 28 13:00:52 uxcasxxx charon: 14[IKE] IKE_SA fqdn_vr[4] established between 172.31.114.227[172.31.114.227]...172.31.114.211[<a href="mailto:cross@cas.com">cross@cas.com</a>]<br>
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] CHILD_SA fqdn_vr{4} established with SPIs c42991a0_i 4f98c63c_o and TS <a href="http://172.31.114.227/32">172.31.114.227/32</a> === <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]<br>
Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>Jun 28 13:00:56 uxcasxxx charon: 13[IKE] retransmit 1 of request with message ID 0<br>Jun 28 13:00:56 uxcasxxx charon: 13[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>
Jun 28 13:01:04 uxcasxxx charon: 07[IKE] retransmit 2 of request with message ID 0<br>Jun 28 13:01:04 uxcasxxx charon: 07[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>Jun 28 13:01:17 uxcasxxx charon: 08[IKE] retransmit 3 of request with message ID 0<br>
Jun 28 13:01:17 uxcasxxx charon: 08[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>Jun 28 13:01:22 uxcasxxx charon: 10[IKE] destroying IKE_SA in state DELETING without notification</b><br><br><br>
<b>Conf:</b><br> cacert=ikeca_fqdn.crt<br> auto=add<br><br>config setup<br> plutostart=yes<br> plutodebug=all<br> charonstart=yes<br> charondebug=all<br> nat_traversal=yes<br>
crlcheckinterval=10m<br> strictcrlpolicy=no<br><br>conn %default<br> ikelifetime=1h<br> keylife=2h<br> keyingtries=1<br><br>conn fqdn_vr<br> auth=esp<br> type=tunnel<br> keyexchange=ikev2<br>
left=172.31.114.227<br> right=%any<br> rightid=<a href="mailto:cross@cas.com">cross@cas.com</a><br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> authby=secret<br> pfs=no<br> rekey=no<br> auto=add<br>
ipsec.secrets<br>++++++++++<br>172.31.114.227 <a href="mailto:cross@cas.com">cross@cas.com</a> : PSK "sachinten1"<br><br>Please provide your inputs on this.<br><br>Regards,<br>Saravanan N<br><br>