<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 10.00.9200.17148"></HEAD>
<BODY style="FONT: 10pt Segoe UI; MARGIN: 4px 4px 1px">
<DIV>Hello list,</DIV>
<DIV> </DIV>
<DIV>I'm using StrongSwan 5.2.0 running on CentOS6.5 the other end of the VPN is a Cisco ASA running 9.1(3)</DIV>
<DIV> </DIV>
<DIV>Every few days the connection drops out and we have to do ipsec restart on the StrongSwan end. I've tried using IkeV1 and IkeV2 but it doesn't seem to make any difference. I'd be grateful if someone could give me some advice on where the problem might lie. I'm pretty stumped I'm afraid.</DIV>
<DIV> </DIV>
<DIV>The connection died around 08:22 this morning. I've attached the messages file and some config</DIV>
<DIV> </DIV>
<DIV><STRONG>Here's a ipsec statusall from the StrongSwan box right now...</STRONG></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Status of IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-504.3.3.el6.x86_64, x86_64):<BR> uptime: 41 hours, since Jan 15 17:09:11 2015<BR> malloc: sbrk 270336, mmap 0, used 205008, free 65328<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<BR>Listening IP addresses:<BR> 10.1.1.1<BR>Connections:<BR> ciscoios: 10.1.1.1...444.444.444.444 IKEv2<BR> ciscoios: local: [10.1.1.1] uses pre-shared key authentication<BR> ciscoios: remote: [444.444.444.444] uses pre-shared key authentication<BR> ciscoios: child: 10.1.0.0/16 === 192.168.0.0/16 TUNNEL<BR>Security Associations (0 up, 0 connecting):<BR> none</FONT></DIV>
<DIV> </DIV>
<DIV><STRONG>And some stats from the ASA</STRONG></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">ASA# sh crypto ikev2 sa</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">There are no IKEv2 SAs<BR>ASA# sh crypto ipsec sa</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">There are no ipsec sas</FONT><BR></DIV>
<DIV><STRONG>If I restart the connection here's what the statusall looks like</STRONG></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Status of IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-504.3.3.el6.x86_64, x86_64):<BR> uptime: 22 seconds, since Jan 17 10:58:27 2015<BR> malloc: sbrk 270336, mmap 0, used 205008, free 65328<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<BR>Listening IP addresses:<BR> 10.1.1.1<BR>Connections:<BR> ciscoios: 10.1.1.1...444.444.444.444 IKEv2<BR> ciscoios: local: [10.1.1.1] uses pre-shared key authentication<BR> ciscoios: remote: [444.444.444.444] uses pre-shared key authentication<BR> ciscoios: child: 10.1.0.0/16 === 192.168.0.0/16 TUNNEL<BR>Security Associations (1 up, 0 connecting):<BR> ciscoios[1]: ESTABLISHED 22 seconds ago, 10.1.1.1[10.1.1.1]...444.444.444.444[444.444.444.444]<BR> ciscoios[1]: IKEv2 SPIs: de5d948f9c8f22af_i* cb7c5a2906edd007_r, pre-shared key reauthentication in 23 hours<BR> ciscoios[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536<BR> ciscoios{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c96684fa_i 94701406_o<BR> ciscoios{1}: AES_CBC_128/HMAC_SHA1_96, 2436 bytes_i (29 pkts, 1s ago), 2436 bytes_o (29 pkts, 1s ago), rekeying in 54 minutes<BR> ciscoios{1}: 10.1.0.0/16 === 192.168.0.0/16</FONT> </DIV>
<DIV> </DIV>
<DIV><STRONG>And here's some stats from the ASA</STRONG></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">ASA# sh crypto ikev2 sa detail</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">IKEv2 SAs:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Session-id:22, Status:UP-ACTIVE, IKE count:1, CHILD count:1</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Tunnel-id Local Remote Status Role<BR>321156029 444.444.444.444/4500 333.333.333.333/4500 READY RESPONDER<BR> Encr: AES-CBC, keysize: 128, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK<BR> Life/Active Time: 86400/163 sec<BR> Session-id: 22<BR> Status Description: Negotiation done<BR> Local spi: 07D0ED06295A7CCB Remote spi: AF228F9C8F945DDE<BR> Local id: 444.444.444.444<BR> Remote id: 10.1.1.1<BR> Local req mess id: 0 Remote req mess id: 2<BR> Local next mess id: 0 Remote next mess id: 2<BR> Local req queued: 0 Remote req queued: 2<BR> Local window: 1 Remote window: 1<BR> DPD configured for 10 seconds, retry 2<BR> NAT-T is detected outside<BR>Child sa: local selector 192.168.0.0/0 - 192.168.255.255/65535<BR> remote selector 10.1.0.0/0 - 10.1.255.255/65535<BR> ESP spi in/out: 0x94701406/0xc96684fa<BR> AH spi in/out: 0x0/0x0<BR> CPI in/out: 0x0/0x0<BR> Encr: AES-CBC, keysize: 128, esp_hmac: SHA96<BR> ah_hmac: None, comp: IPCOMP_NONE, mode tunnel</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">ASA# sh crypto ipsec sa<BR>interface: OUTSIDE<BR> Crypto map tag: mymap, seq num: 1, local addr: 444.444.444.444</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New"> access-list AWSInt-VPN-ACL extended permit ip 192.168.0.0 255.255.0.0 10.1.0.0 255.255.0.0<BR> local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)<BR> remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)<BR> current_peer: 333.333.333.333</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New"> #pkts encaps: 443, #pkts encrypt: 443, #pkts digest: 443<BR> #pkts decaps: 443, #pkts decrypt: 443, #pkts verify: 443<BR> #pkts compressed: 0, #pkts decompressed: 0<BR> #pkts not compressed: 443, #pkts comp failed: 0, #pkts decomp failed: 0<BR> #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0<BR> #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0<BR> #TFC rcvd: 0, #TFC sent: 0<BR> #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0<BR> #send errors: 0, #recv errors: 0</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New"> local crypto endpt.: 444.444.444.444/4500, remote crypto endpt.: 333.333.333.333/4500<BR> path mtu 1500, ipsec overhead 82(52), media mtu 1500<BR> PMTU time remaining (sec): 0, DF policy: copy-df<BR> ICMP error validation: disabled, TFC packets: disabled<BR> current outbound spi: C96684FA<BR> current inbound spi : 94701406</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New"> inbound esp sas:<BR> spi: 0x94701406 (2490373126)<BR> transform: esp-aes esp-sha-hmac no compression<BR> in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }<BR> slot: 0, conn_id: 598016, crypto-map: mymap<BR> sa timing: remaining key lifetime (kB/sec): (4008923/28564)<BR> IV size: 16 bytes<BR> replay detection support: Y<BR> Anti replay bitmap:<BR> 0xFFFFFFFF 0xFFFFFFFF<BR> outbound esp sas:<BR> spi: 0xC96684FA (3378939130)<BR> transform: esp-aes esp-sha-hmac no compression<BR> in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }<BR> slot: 0, conn_id: 598016, crypto-map: mymap<BR> sa timing: remaining key lifetime (kB/sec): (4331483/28564)<BR> IV size: 16 bytes<BR> replay detection support: Y<BR> Anti replay bitmap:<BR> 0x00000000 0x00000001</FONT></DIV>
<DIV> </DIV>
<DIV>Any advice will be gratefully received.</DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Tormod</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV><BR>
<div>
<div>
<div>
<font face="Arial" size="2" color="#008000">Please consider the
environment before printing this email</font><font face="Arial" size="2">
</font> </div>
</div>
</div>
<div>
<font face="Arial" size="2">
</font> </div>
<span class="f133 controlstyle" id="F133"><font face="Arial" size="2">*********************************************************************
</font></span><font face="Arial" size="2"><br><span class="f133 controlstyle" id="F133"><br>This
e-mail and any attachments are confidential. If it is not for you, please
inform us and delete it immediately without disclosing, copying, or
distributing it.<br><br>If the content is not about the business of
PayWizard Group PLC or its clients, then it is neither from nor sanctioned
by PayWizard Group PLC. Use of this or any other PayWizard Group PLC
e-mail facility signifies consent to interception by PayWizard Group PLC.
The views expressed in this email or any attachments may not reflect the
views and opinions of PayWizard Group PLC.<br><br>This message has been
scanned for viruses and dangerous content by MailScanner, but PayWizard
Group PLC accepts no liability for any damage caused by the transmission
of any viruses.<br><br>PayWizard Group PLC is a public limited company
registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.<br><br>*******************************************************************</span>*</font>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</BODY></HTML>