<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><font face="Monaco" class="">VPN client & server running StrongSwan v5.2.2. Both OSes Centos 6.6.</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class="">An IKEv2 IPsec tunnel has been up for a couple days with the client initiating a ping, once per minute, of the same host behind the VPN gateway. This is the only application level traffic on the tunnel.</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class="">Roughly every two hours and 40 minutes, the client initiates the IKE SA reauthentication sequence and some times the ping fails:</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class="">
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">2015/03/12 13:14:20 - host ipa.cz.internal is
<span style="font-variant-ligatures: no-common-ligatures; color: #0fa908" class="">
ok</span></font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">ping: unknown host ipa.cz.internal</font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">2015/03/12 13:15:20 - host ipa.cz.internal is
<span style="font-variant-ligatures: no-common-ligatures; color: #b42815" class="">
down</span></font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">2015/03/12 13:16:20 - host ipa.cz.internal is
<span style="font-variant-ligatures: no-common-ligatures; color: #0fa908" class="">
ok</span></font></div>
</div>
<div class=""><span style="color: rgb(15, 169, 8);" class=""><font face="Monaco" class=""><br class="">
</font></span></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class="">The .cz.internal DNS domain is served by a host (10.8.65.164) behind the VPN gateway. Here’s a snippet from the client log file showing the start of the reauthentication and the removal of the DNS server from resolve.conf.</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class="">
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class="">
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 12[IKE] reauthenticating IKE_SA cz-pdc[16]</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 12[IKE] deleting IKE_SA cz-pdc[16] between 10.100.34.179[linux-test]...a.b.c.d[<a href="http://secgw.cz-dev.com" class="">secgw.cz-dev.com</a>]</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 12[IKE] sending DELETE for IKE_SA cz-pdc[16]</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 12[ENC] generating INFORMATIONAL request 9 [ D ]</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 12[NET] sending packet: from 10.100.34.179[4500] to a.b.c.d[4500] (76 bytes)</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[NET] received packet: from a.b.c.d[4500] to 10.100.34.179[4500] (76 bytes)</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[ENC] parsed INFORMATIONAL response 9 [ ]</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[IKE] IKE_SA deleted</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client vpn: -
<a href="http://secgw.cz-dev.com" class="">secgw.cz-dev.com</a> 10.8.64.0/23 == a.b.c.d -- 10.100.34.179 == 10.255.252.1/32</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[IKE] installing new virtual IP 10.255.252.1</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[IKE] restarting CHILD_SA cz-pdc</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[IKE] initiating IKE_SA cz-pdc[17] to a.b.c.d</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[NET] sending packet: from 10.100.34.179[500] to a.b.c.d[500] (1420 bytes)</font></div>
<div style="margin: 0px;" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw-client charon: 10[IKE] removing DNS server 10.8.65.164 from /etc/resolv.conf</font></div>
</div>
</div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class="">And a snippet from the server log file:</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class="">
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw charon: 15[NET] received packet: from w.x.y.z[4500] to 10.8.95.244[4500] (76 bytes)</font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw charon: 15[ENC] parsed INFORMATIONAL request 9 [ D ]</font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw charon: 15[IKE] received DELETE for IKE_SA remote-access-ikev2-krb[15]</font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw charon: 15[IKE] deleting IKE_SA remote-access-ikev2-krb[15] between 10.8.95.244[<a href="http://secgw.cz-dev.com" class="">secgw.cz-dev.com</a>]...w.x.y.z[linux-test]</font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw charon: 15[IKE] IKE_SA remote-access-ikev2-krb[15] state change: ESTABLISHED => DELETING</font></div>
<div style="margin: 0px; background-color: rgb(226, 225, 227);" class=""><font face="Monaco" class="">Mar 12 13:15:10 secgw charon: 15[IKE] IKE_SA deleted</font></div>
</div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class="">The clocks on each machine are synchronized using NTP. The two hosts take ~11-12 seconds to complete the reauthentication sequence and the continuous ping succeeds.</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class="">The continuous ping is pretty tolerant of the network outage and since it’s stateless and only occurs every 60 seconds - it often does not notice the outage. However, if I ran highly sensitive application like a file
transfer, would the entire transfer fail? Is reauthentication equivalent to terminating and restarting the tunnel?</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><font face="Monaco" class=""><br class="">
</font></div>
<div class=""><br class="">
</div>
</body>
</html>