<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Georgia">Setup/Config: Debian Squeeze, 64 bit,
strongSwan 5.0.4 talking to Cisco 3925 on the other side. </font>Here
is my current configuration (to which I've been doing various tweaks
and adjustments over the weeks to try to gain control of stability).<br>
<br>
<tt>root@m50-aws-strongSwan: ~ # cat /usr/local/etc/ipsec.conf</tt><tt><br>
</tt><tt>config setup</tt><tt><br>
</tt><tt> uniqueids=yes</tt><tt><br>
</tt><tt><br>
</tt><tt>conn %default</tt><tt><br>
</tt><tt> ikelifetime=28800s</tt><tt><br>
</tt><tt> lifetime=7557s</tt><tt><br>
</tt><tt> margintime=2m</tt><tt><br>
</tt><tt> keyingtries=%forever</tt><tt><br>
</tt><tt> keyexchange=ikev1</tt><tt><br>
</tt><tt> ike=3des-sha1-modp1024!</tt><tt><br>
</tt><tt> esp=3des-sha1!</tt><tt><br>
</tt><tt> type=transport</tt><tt><br>
</tt><tt> dpdaction=restart</tt><tt><br>
</tt><tt> rightauth=psk</tt><tt><br>
</tt><tt> leftauth=psk</tt><tt><br>
</tt><tt> leftid=33.33.33.33</tt><tt><br>
</tt><tt> left=10.55.55.250</tt><tt><br>
</tt><tt> leftsubnet=10.55.55.0/24</tt><tt><br>
</tt><tt> leftfirewall=yes</tt><tt><br>
</tt><tt> lefthostaccess=yes</tt><tt><br>
</tt><tt><br>
</tt><tt>conn aws-mia</tt><tt><br>
</tt><tt> right=111.111.111.111</tt><tt><br>
</tt><tt> rightid=111.111.111.111</tt><tt><br>
</tt><tt> rightsubnet=10.238.0.0/15</tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt><br>
</tt><tt>conn aws-cjr</tt><tt><br>
</tt><tt> right=222.222.222.222</tt><tt><br>
</tt><tt> rightid=222.222.222.222</tt><tt><br>
</tt><tt> rightsubnet=10.238.0.0/15</tt><tt><br>
</tt><tt> auto=ignore</tt><br>
<br>
(The cisco does not answer appropriately to our DPD requests, so
dpdaction automatically switches to disabled on startup)<br>
<br>
The system will run for a day or so, successfully stepping through
IKE rekeys, as well as ESP CHILD_SA rekeys. Then, seemingly at
random, an ESP rekey will fail as follows (including some logging
from 'good' state before it begins failing):<br>
<tt><br>
</tt><tt>May 31 07:55:22 m50-aws-strongSwan charon: 11[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:55:42 m50-aws-strongSwan charon: 13[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:56:22 m50-aws-strongSwan charon: 15[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:56:42 m50-aws-strongSwan charon: 16[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:57:01 m50-aws-strongSwan charon: 17[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 07:57:01 m50-aws-strongSwan charon: 17[ENC] parsed
INFORMATIONAL_V1 request 3179819735 [ HASH N(DPD) ]</tt><tt><br>
</tt><tt>May 31 07:57:01 m50-aws-strongSwan charon: 17[ENC]
generating INFORMATIONAL_V1 request 1546506389 [ HASH N(DPD_ACK) ]</tt><tt><br>
</tt><tt>May 31 07:57:01 m50-aws-strongSwan charon: 17[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 07:57:22 m50-aws-strongSwan charon: 02[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:57:42 m50-aws-strongSwan charon: 19[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:58:22 m50-aws-strongSwan charon: 22[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:58:42 m50-aws-strongSwan charon: 21[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:59:02 m50-aws-strongSwan charon: 23[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:59:03 m50-aws-strongSwan charon: 24[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 07:59:03 m50-aws-strongSwan charon: 24[ENC] parsed
INFORMATIONAL_V1 request 3429124245 [ HASH N(DPD) ]</tt><tt><br>
</tt><tt>May 31 07:59:03 m50-aws-strongSwan charon: 24[ENC]
generating INFORMATIONAL_V1 request 3609536683 [ HASH N(DPD_ACK) ]</tt><tt><br>
</tt><tt>May 31 07:59:03 m50-aws-strongSwan charon: 24[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 07:59:23 m50-aws-strongSwan charon: 26[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 07:59:43 m50-aws-strongSwan charon: 27[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:00:13 m50-aws-strongSwan charon: 05[KNL] creating
rekey job for ESP CHILD_SA with SPI b7123e4f and reqid {8}</tt><tt><br>
</tt><tt>May 31 08:00:13 m50-aws-strongSwan charon: 29[ENC]
generating QUICK_MODE request 3342525294 [ HASH SA No ID ID NAT-OA
NAT-OA ]</tt><tt><br>
</tt><tt>May 31 08:00:13 m50-aws-strongSwan charon: 29[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (196
bytes)</tt><tt><br>
</tt><tt>May 31 08:00:13 m50-aws-strongSwan charon: 32[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:00:13 m50-aws-strongSwan charon: 32[ENC] parsed
INFORMATIONAL_V1 request 1088404155 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:00:13 m50-aws-strongSwan charon: 32[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:00:37 m50-aws-strongSwan charon: 01[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:00:57 m50-aws-strongSwan charon: 12[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:01:01 m50-aws-strongSwan charon: 11[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 08:01:01 m50-aws-strongSwan charon: 11[ENC] parsed
INFORMATIONAL_V1 request 1115222760 [ HASH N(DPD) ]</tt><tt><br>
</tt><tt>May 31 08:01:01 m50-aws-strongSwan charon: 11[ENC]
generating INFORMATIONAL_V1 request 584931265 [ HASH N(DPD_ACK) ]</tt><tt><br>
</tt><tt>May 31 08:01:01 m50-aws-strongSwan charon: 11[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 08:01:22 m50-aws-strongSwan charon: 14[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:01:23 m50-aws-strongSwan charon: 05[KNL] creating
rekey job for ESP CHILD_SA with SPI c908682a and reqid {8}</tt><tt><br>
</tt><tt>May 31 08:01:42 m50-aws-strongSwan charon: 18[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:02:22 m50-aws-strongSwan charon: 19[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:02:42 m50-aws-strongSwan charon: 20[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:03:02 m50-aws-strongSwan charon: 22[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 08:03:02 m50-aws-strongSwan charon: 22[ENC] parsed
INFORMATIONAL_V1 request 3826083630 [ HASH N(DPD) ]</tt><tt><br>
</tt><tt>May 31 08:03:02 m50-aws-strongSwan charon: 22[ENC]
generating INFORMATIONAL_V1 request 3152773781 [ HASH N(DPD_ACK) ]</tt><tt><br>
</tt><tt>May 31 08:03:02 m50-aws-strongSwan charon: 22[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (92
bytes)</tt><tt><br>
</tt><tt>May 31 08:03:22 m50-aws-strongSwan charon: 23[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:03:42 m50-aws-strongSwan charon: 24[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:04:00 m50-aws-strongSwan charon: 05[KNL] creating
delete job for ESP CHILD_SA with SPI b7123e4f and reqid {8}</tt><tt><br>
</tt><tt>May 31 08:04:00 m50-aws-strongSwan charon: 05[KNL] creating
delete job for ESP CHILD_SA with SPI c908682a and reqid {8}</tt><tt><br>
</tt><tt>May 31 08:04:00 m50-aws-strongSwan charon: 25[IKE] closing
expired CHILD_SA aws-mia{8} with SPIs c908682a_i b7123e4f_o and TS
10.55.55.0/24 === 10.238.0.0/15</tt><tt><br>
</tt><tt>May 31 08:04:00 m50-aws-strongSwan charon: 25[IKE] sending
DELETE for ESP CHILD_SA with SPI c908682a</tt><tt><br>
</tt><tt>May 31 08:04:00 m50-aws-strongSwan charon: 25[ENC]
generating INFORMATIONAL_V1 request 2852154893 [ HASH D ]</tt><tt><br>
</tt><tt>May 31 08:04:00 m50-aws-strongSwan charon: 25[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (76
bytes)</tt><tt><br>
</tt><tt>May 31 08:04:00 m50-aws-strongSwan charon: 25[JOB] CHILD_SA
with reqid 8 not found for delete</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 28[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 28[ENC] parsed
QUICK_MODE request 2462387570 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 28[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 28[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 28[ENC]
generating QUICK_MODE response 2462387570 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 28[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 29[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 29[ENC] parsed
INFORMATIONAL_V1 request 3047370345 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:04:02 m50-aws-strongSwan charon: 29[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:04:27 m50-aws-strongSwan charon: 31[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 01[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 01[ENC] parsed
QUICK_MODE request 483109687 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 01[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 01[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 01[ENC]
generating QUICK_MODE response 483109687 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 01[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 12[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 12[ENC] parsed
INFORMATIONAL_V1 request 2232717815 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:04:32 m50-aws-strongSwan charon: 12[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:04:57 m50-aws-strongSwan charon: 16[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:05:17 m50-aws-strongSwan charon: 17[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:05:37 m50-aws-strongSwan charon: 18[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:05:57 m50-aws-strongSwan charon: 02[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 19[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 19[ENC] parsed
QUICK_MODE request 1317659073 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 19[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 19[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 19[ENC]
generating QUICK_MODE response 1317659073 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 19[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 20[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 20[ENC] parsed
INFORMATIONAL_V1 request 1849798747 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:06:01 m50-aws-strongSwan charon: 20[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:06:25 m50-aws-strongSwan charon: 23[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 24[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 24[ENC] parsed
QUICK_MODE request 2767516641 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 24[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 24[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 24[ENC]
generating QUICK_MODE response 2767516641 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 24[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 25[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 25[ENC] parsed
INFORMATIONAL_V1 request 1820100041 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:06:31 m50-aws-strongSwan charon: 25[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:06:55 m50-aws-strongSwan charon: 32[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 30[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 30[ENC] parsed
QUICK_MODE request 1428916151 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 30[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 30[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 30[ENC]
generating QUICK_MODE response 1428916151 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 30[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 31[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 31[ENC] parsed
INFORMATIONAL_V1 request 78006912 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:07:02 m50-aws-strongSwan charon: 31[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:07:27 m50-aws-strongSwan charon: 13[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 11[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 11[ENC] parsed
QUICK_MODE request 2963864971 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 11[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 11[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 11[ENC]
generating QUICK_MODE response 2963864971 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 11[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 14[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 14[ENC] parsed
INFORMATIONAL_V1 request 1933256433 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:07:32 m50-aws-strongSwan charon: 14[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:07:57 m50-aws-strongSwan charon: 17[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:08:17 m50-aws-strongSwan charon: 18[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:08:37 m50-aws-strongSwan charon: 20[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:08:57 m50-aws-strongSwan charon: 22[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 21[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 21[ENC] parsed
QUICK_MODE request 306220597 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 21[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 21[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 21[ENC]
generating QUICK_MODE response 306220597 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 21[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 23[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 23[ENC] parsed
INFORMATIONAL_V1 request 1230897943 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:09:02 m50-aws-strongSwan charon: 23[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:09:26 m50-aws-strongSwan charon: 27[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 26[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 26[ENC] parsed
QUICK_MODE request 3014147266 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 26[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 26[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 26[ENC]
generating QUICK_MODE response 3014147266 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 26[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 28[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 28[ENC] parsed
INFORMATIONAL_V1 request 426631805 [ HASH N(NO_PROP) ]</tt><tt><br>
</tt><tt>May 31 08:09:32 m50-aws-strongSwan charon: 28[IKE] received
NO_PROPOSAL_CHOSEN error notify</tt><tt><br>
</tt><tt>May 31 08:09:56 m50-aws-strongSwan charon: 30[IKE] sending
keep alive to 111.111.111.111[4500]</tt><tt><br>
</tt><tt>May 31 08:10:02 m50-aws-strongSwan charon: 31[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (428
bytes)</tt><tt><br>
</tt><tt>May 31 08:10:02 m50-aws-strongSwan charon: 31[ENC] parsed
QUICK_MODE request 2589082521 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:10:02 m50-aws-strongSwan charon: 31[IKE] received
28800s lifetime, configured 7557s</tt><tt><br>
</tt><tt>May 31 08:10:02 m50-aws-strongSwan charon: 31[IKE] received
4608000000 lifebytes, configured 0</tt><tt><br>
</tt><tt>May 31 08:10:02 m50-aws-strongSwan charon: 31[ENC]
generating QUICK_MODE response 2589082521 [ HASH SA No ID ID ]</tt><tt><br>
</tt><tt>May 31 08:10:02 m50-aws-strongSwan charon: 31[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (188
bytes)</tt><tt><br>
</tt><tt>May 31 08:10:02 m50-aws-strongSwan charon: 01[NET] received
packet: from 111.111.111.111[4500] to 10.55.55.250[4500] (84
bytes)</tt><br>
<br>
Repeating until I log into the server and issue an ipsec restart,
after which it resumes a happy session.<br>
<br>
<tt>May 31 08:17:48 m50-aws-strongSwan charon: 00[DMN] signal of
type SIGINT received. Shutting down</tt><tt><br>
</tt><tt>May 31 08:17:48 m50-aws-strongSwan charon: 00[IKE] deleting
IKE_SA aws-mia[3] between
10.55.55.250[33.33.33.33]...111.111.111.111[111.111.111.111]</tt><tt><br>
</tt><tt>May 31 08:17:48 m50-aws-strongSwan charon: 00[IKE] sending
DELETE for IKE_SA aws-mia[3]</tt><tt><br>
</tt><tt>May 31 08:17:48 m50-aws-strongSwan charon: 00[ENC]
generating INFORMATIONAL_V1 request 3808362594 [ HASH D ]</tt><tt><br>
</tt><tt>May 31 08:17:48 m50-aws-strongSwan charon: 00[NET] sending
packet: from 10.55.55.250[4500] to 111.111.111.111[4500] (84
bytes)</tt><tt><br>
</tt><tt>May 31 08:17:51 m50-aws-strongSwan charon: 00[DMN] Starting
IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-5-xen-amd64,
x86_64)<br>
{etc.}<br>
</tt><tt><br>
</tt><br>
This is a different failure from what I was experiencing a few weeks
back with the 'sa payload missing' errors which no longer occur.<br>
<br>
Does anything stand out as obviously wrong in my config? Or is this
yet another edge case in connecting to a Cisco?<br>
<br>
Oh, lastly, example of existing, happy connection:<br>
<br>
<tt>root@m50-aws-strongSwan: ~ # ipsec statusall</tt><tt><br>
</tt><tt>Status of IKE charon daemon (strongSwan 5.0.4, Linux
2.6.32-5-xen-amd64, x86_64):</tt><tt><br>
</tt><tt> uptime: 3 hours, since May 31 08:17:52 2013</tt><tt><br>
</tt><tt> malloc: sbrk 401408, mmap 0, used 246128, free 155280</tt><tt><br>
</tt><tt> worker threads: 23 of 32 idle, 8/1/0/0 working, job
queue: 0/0/0/0, scheduled: 3</tt><tt><br>
</tt><tt> loaded plugins: charon aes des sha1 sha2 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem
fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown xauth-generic duplicheck</tt><tt><br>
</tt><tt>Listening IP addresses:</tt><tt><br>
</tt><tt> 10.55.55.250</tt><tt><br>
</tt><tt>Connections:</tt><tt><br>
</tt><tt> aws-mia: 10.55.55.250...111.111.111.111 IKEv1,
dpddelay=30s</tt><tt><br>
</tt><tt> aws-mia: local: [33.33.33.33] uses pre-shared key
authentication</tt><tt><br>
</tt><tt> aws-mia: remote: [111.111.111.111] uses pre-shared
key authentication</tt><tt><br>
</tt><tt> aws-mia: child: 10.55.55.0/24 === 10.238.0.0/15
TRANSPORT, dpdaction=restart</tt><tt><br>
</tt><tt>Security Associations (1 up, 0 connecting):</tt><tt><br>
</tt><tt> aws-mia[1]: ESTABLISHED 3 hours ago,
10.55.55.250[33.33.33.33]...111.111.111.111[111.111.111.111]</tt><tt><br>
</tt><tt> aws-mia[1]: IKEv1 SPIs: 1c0cb1cd39f64b3d_i
19da2677bd51fbad_r*, pre-shared key reauthentication in 4 hours</tt><tt><br>
</tt><tt> aws-mia[1]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</tt><tt><br>
</tt><tt> aws-mia{2}: INSTALLED, TUNNEL, ESP in UDP SPIs:
ce0c19a6_i 46563499_o</tt><tt><br>
</tt><tt> aws-mia{2}: 3DES_CBC/HMAC_SHA1_96, 17724 bytes_i (211
pkts, 41s ago), 17724 bytes_o (211 pkts, 41s ago), rekeying in 37
minutes</tt><tt><br>
</tt><tt> aws-mia{2}: 10.55.55.0/24 === 10.238.0.0/15</tt><br>
<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Paul Theodoropoulos
<a class="moz-txt-link-abbreviated" href="http://www.anastrophe.com">www.anastrophe.com</a></pre>
</body>
</html>