<div dir="ltr"><div>Hi,</div><div><br></div><div>I am trying to replace a Juniper device with strongSwan and migrate a few hundred IPsec tunnels in the process. The good thing is that all tunnels are ikev1/net2net_psk, the bad thing is that I don't control the other peers. This makes any troubleshooting process more cumbersome.</div>
<div><br></div><div>One issue that I noticed so far, is that while on Juniper the tunnels seem stable (i.e. rekeying occurs only when the SAs are about to expire), on strongSwan some tunnels go down after a short while. According to the logs, the other peer is actually triggering the deletion of SAs.</div>
<div><br></div><div>This is an example:</div><div><br></div><div>Oct 24 07:41:27 28[IKE] <S_vpn-1|809> initiating Main Mode IKE_SA S_vpn-1[809] to 10.20.0.1</div><div>Oct 24 07:41:27 26[IKE] <S_vpn-1|809> IKE_SA S_vpn-1[809] established between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:41:27 26[IKE] <S_vpn-1|809> scheduling reauthentication in 27948s</div><div>Oct 24 07:41:27 26[IKE] <S_vpn-1|809> maximum IKE_SA lifetime 28488s</div><div>Oct 24 07:41:27 25[IKE] <S_vpn-1|809> CHILD_SA S_vpn-1{153} established with SPIs c0f44f62_i 60289f75_o and TS <a href="http://10.10.0.2/32">10.10.0.2/32</a> === <a href="http://10.20.0.2/21">10.20.0.2/21</a> </div>
<div><br></div><div>Oct 24 07:43:12 23[IKE] <S_vpn-1|809> received DELETE for IKE_SA S_vpn-1[809]</div><div>Oct 24 07:43:12 23[IKE] <S_vpn-1|809> deleting IKE_SA S_vpn-1[809] between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:43:12 23[CFG] <S_vpn-1|809> updating already routed CHILD_SA 'S_vpn-1'</div><div>Oct 24 07:43:12 28[IKE] <S_vpn-1|816> initiating Main Mode IKE_SA S_vpn-1[816] to 10.20.0.1</div><div>Oct 24 07:43:12 08[IKE] <S_vpn-1|816> IKE_SA S_vpn-1[816] established between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:43:12 08[IKE] <S_vpn-1|816> scheduling reauthentication in 27962s</div><div>Oct 24 07:43:12 08[IKE] <S_vpn-1|816> maximum IKE_SA lifetime 28502s</div><div>Oct 24 07:43:13 09[IKE] <S_vpn-1|816> CHILD_SA S_vpn-1{153} established with SPIs cbe76271_i 60d13627_o and TS <a href="http://10.10.0.2/32">10.10.0.2/32</a> === <a href="http://10.20.0.2/21">10.20.0.2/21</a> </div>
<div>Oct 24 07:43:13 03[IKE] <S_vpn-1|816> received DELETE for ESP CHILD_SA with SPI 60ce40b5</div><div>Oct 24 07:43:13 03[IKE] <S_vpn-1|816> CHILD_SA not found, ignored</div><div>Oct 24 07:43:13 12[IKE] <S_vpn-1|816> received DELETE for ESP CHILD_SA with SPI c927b3db</div>
<div>Oct 24 07:43:13 12[IKE] <S_vpn-1|816> CHILD_SA not found, ignored</div><div><br></div><div>Oct 24 07:47:12 25[IKE] <S_vpn-1|816> received DELETE for IKE_SA S_vpn-1[816]</div><div>Oct 24 07:47:12 25[IKE] <S_vpn-1|816> deleting IKE_SA S_vpn-1[816] between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:47:12 25[CFG] <S_vpn-1|816> updating already routed CHILD_SA 'S_vpn-1'</div><div>Oct 24 07:47:12 30[IKE] <S_vpn-1|826> initiating Main Mode IKE_SA S_vpn-1[826] to 10.20.0.1</div><div>Oct 24 07:47:12 15[IKE] <S_vpn-1|826> IKE_SA S_vpn-1[826] established between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:47:12 15[IKE] <S_vpn-1|826> scheduling reauthentication in 28076s</div><div>Oct 24 07:47:12 15[IKE] <S_vpn-1|826> maximum IKE_SA lifetime 28616s</div><div>Oct 24 07:47:13 10[IKE] <S_vpn-1|826> CHILD_SA S_vpn-1{153} established with SPIs c5196008_i 602513e1_o and TS <a href="http://10.10.0.2/32">10.10.0.2/32</a> === <a href="http://10.20.0.2/21">10.20.0.2/21</a> </div>
<div>Oct 24 07:47:13 31[IKE] <S_vpn-1|826> received DELETE for ESP CHILD_SA with SPI 60289f75</div><div>Oct 24 07:47:13 31[IKE] <S_vpn-1|826> CHILD_SA not found, ignored</div><div>Oct 24 07:47:13 20[IKE] <S_vpn-1|826> received DELETE for ESP CHILD_SA with SPI c0f44f62</div>
<div>Oct 24 07:47:13 20[IKE] <S_vpn-1|826> CHILD_SA not found, ignored</div><div><br></div><div>Oct 24 07:51:12 19[IKE] <S_vpn-1|826> received DELETE for IKE_SA S_vpn-1[826]</div><div>Oct 24 07:51:12 19[IKE] <S_vpn-1|826> deleting IKE_SA S_vpn-1[826] between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:51:12 19[CFG] <S_vpn-1|826> updating already routed CHILD_SA 'S_vpn-1'</div><div>Oct 24 07:51:12 13[IKE] <S_vpn-1|839> initiating Main Mode IKE_SA S_vpn-1[839] to 10.20.0.1</div><div>Oct 24 07:51:13 21[IKE] <S_vpn-1|839> IKE_SA S_vpn-1[839] established between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:51:13 21[IKE] <S_vpn-1|839> scheduling reauthentication in 28193s</div><div>Oct 24 07:51:13 21[IKE] <S_vpn-1|839> maximum IKE_SA lifetime 28733s</div><div>Oct 24 07:51:13 20[IKE] <S_vpn-1|839> CHILD_SA S_vpn-1{153} established with SPIs c8652dc7_i 60461e53_o and TS <a href="http://10.10.0.2/32">10.10.0.2/32</a> === <a href="http://10.20.0.2/21">10.20.0.2/21</a> </div>
<div>Oct 24 07:51:13 12[IKE] <S_vpn-1|839> received DELETE for ESP CHILD_SA with SPI 60d13627</div><div>Oct 24 07:51:13 12[IKE] <S_vpn-1|839> CHILD_SA not found, ignored</div><div>Oct 24 07:51:13 09[IKE] <S_vpn-1|839> received DELETE for ESP CHILD_SA with SPI cbe76271</div>
<div>Oct 24 07:51:13 09[IKE] <S_vpn-1|839> CHILD_SA not found, ignored</div><div><br></div><div>Oct 24 07:55:12 15[IKE] <S_vpn-1|839> received DELETE for IKE_SA S_vpn-1[839]</div><div>Oct 24 07:55:12 15[IKE] <S_vpn-1|839> deleting IKE_SA S_vpn-1[839] between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:55:12 15[CFG] <S_vpn-1|839> updating already routed CHILD_SA 'S_vpn-1'</div><div>Oct 24 07:55:12 16[IKE] <S_vpn-1|852> initiating Main Mode IKE_SA S_vpn-1[852] to 10.20.0.1</div><div>Oct 24 07:55:13 25[IKE] <S_vpn-1|852> IKE_SA S_vpn-1[852] established between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]</div>
<div>Oct 24 07:55:13 25[IKE] <S_vpn-1|852> scheduling reauthentication in 28122s</div><div>Oct 24 07:55:13 25[IKE] <S_vpn-1|852> maximum IKE_SA lifetime 28662s</div><div>Oct 24 07:55:13 17[IKE] <S_vpn-1|852> CHILD_SA S_vpn-1{153} established with SPIs c1129c4d_i 60be2ecd_o and TS <a href="http://10.10.0.2/32">10.10.0.2/32</a> === <a href="http://10.20.0.2/21">10.20.0.2/21</a> </div>
<div>Oct 24 07:55:13 30[IKE] <S_vpn-1|852> received DELETE for ESP CHILD_SA with SPI 602513e1</div><div>Oct 24 07:55:13 30[IKE] <S_vpn-1|852> CHILD_SA not found, ignored</div><div>Oct 24 07:55:13 16[IKE] <S_vpn-1|852> received DELETE for ESP CHILD_SA with SPI c5196008</div>
<div>Oct 24 07:55:13 16[IKE] <S_vpn-1|852> CHILD_SA not found, ignored</div><div><br></div><div>A more verbose log can be found at <a href="http://xcyb.org/S_vpn-1_debug.txt">http://xcyb.org/S_vpn-1_debug.txt</a>.</div>
<div><br></div><div>During this time I was testing the tunnel with ICMP echo/reply every 100ms. Every time new SAs are established I lose about 8 packets.</div><div><br></div><div>Why is this happening and how can I change this?</div>
<div><br></div><div>The config applied for this particular vpn is:</div><div><br></div><div> config setup</div><div> uniqueids=yes</div><div><br></div><div> conn %default</div><div> rekeymargin=9m</div>
<div> keyingtries=%forever</div><div> keyexchange=ikev1</div><div> authby=secret</div><div> left=10.10.0.1</div><div> leftsubnet=<a href="http://10.10.0.2/32">10.10.0.2/32</a></div>
<div> auto=start</div><div> inactivity=1d</div><div><br></div><div> conn S_vpn-1</div><div> right = 10.20.0.1</div><div> rightsubnet = <a href="http://10.20.0.2/21">10.20.0.2/21</a></div>
<div> ike = 3des-sha1-modp1024</div><div> ikelifetime = 28800</div><div> esp = 3des-sha1</div><div> keylife = 3600</div><div> closeaction=restart</div><div><br></div><div><br></div><div>
Best regards,</div><div>Mihai</div><div><br></div></div>