<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hi George,</p>
    <p>"Make-before-break: This method first creates duplicates of the
      IKE and all IPsec SAs overlapping with the existing ones and then
      deletes the old ones. This avoids interruptions but requires that
      both peers can handle overlapping SAs (e.g. in regards to virtual
      IPs, duplicate policies or updown scripts). It is supported for
      IKEv2 since 5.3.0 but is disabled by default and may be enabled
      with the charon.make_before_break strongswan.conf setting." and
      more useful information at
      <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey">https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey</a></p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 08.12.2020 18:25, george live wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CANKhjqPetyUzmzx6d0i6L6zxGTT2W-8+1Ok0_CghB+w2+K40bQ@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>Hi,</div>
        <div>I have strongswan running ikev2 on aws peering with a cisco
          asa. The tunnel comes up fine but the problem is whenever the
          rekeying happens, I see the data traffic coming down. I have
          bgp running over IPsec and the tcp reset happens whenever the
          reset happens. Is there any known issue with Strongswan that
          causes this problem?</div>
        <div><br>
        </div>
        <div>Below are some of the traces:</div>
        <div><br>
        </div>
        <div>Logs showing the rekeying<br>
          <br>
          ======================<br>
          <br>
          1)<br>
          <br>
          cat /var/log/messages | grep 'restarting CHILD_SA'<br>
          <br>
          Dec  8 <span style="background-color:rgb(255,0,0)">14:55:40</span>
          xxyy charon: 08[IKE] restarting CHILD_SA ABC<br>
          <br>
          Dec  8 <span style="background-color:rgb(255,0,0)">14:55:40</span>
          xxyy charon: 08[IKE] restarting CHILD_SA ABC<br>
          <br>
          <br>
          <br>
          2)<br>
          <br>
          Bgp output showing reset at same time and this is very
          consistent every 28800 secs<br>
          <br>
          <br>
          <br>
          bird> show protocols<br>
          <br>
          name     proto    table    state  since       info<br>
          <br>
          ABC_BGP BGP      master   up     <span
            style="background-color:rgb(255,0,0)">14:55:50</span>  
           Established   <br>
          <br>
          bird><br>
          <br>
          <br>
          <br>
          2)<br>
          <br>
          ipsec statusall<br>
          <br>
          no files found matching '/etc/strongswan.conf'<br>
          <br>
          Status of IKE charon daemon (strongSwan 5.5.3, Linux
          4.4.0-116-generic, x86_64):<br>
          <br>
            uptime: 9 hours, since Dec 08 07:13:17 2020<br>
          <br>
            malloc: sbrk 2416640, mmap 0, used 456256, free 1960384<br>
          <br>
            worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
          0/0/0/0, scheduled: 4<br>
          <br>
            loaded plugins: charon aes des rc2 sha2 sha1 md5 random
          nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
          pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac
          hmac attr kernel-netlink resolve socket-default stroke vici
          updown xauth-generic<br>
          <br>
          Listening IP addresses:<br>
          <br>
            169.254.254.2<br>
          <br>
            a.b.c.d<br>
          <br>
            xx.yy.xx.yy<br>
          <br>
          Connections:<br>
          <br>
              ABC:  our_ip...customer_ip  IKEv2, dpddelay=10s<br>
          <br>
              ABC:   local:  [our_ip] uses pre-shared key authentication<br>
          <br>
              ABC:   remote: uses pre-shared key authentication<br>
          <br>
              ABC:   child:  <a href="http://0.0.0.0/0"
            moz-do-not-send="true">0.0.0.0/0</a> === <a
            href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a>
          TUNNEL, dpdaction=restart<br>
          <br>
          Routed Connections:<br>
          <br>
              ABC{1}:  ROUTED, TUNNEL, reqid 1<br>
          <br>
              ABC{1}:   <a href="http://0.0.0.0/0"
            moz-do-not-send="true">0.0.0.0/0</a> === <a
            href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a><br>
          <br>
          Security Associations (1 up, 0 connecting):<br>
          <br>
              ABC[2]: ESTABLISHED <span
            style="background-color:rgb(255,0,0)">100 minutes ago</span>,
          <br>
          <br>
          our_ip[our_ip]...cust_ip[cust_ip]<br>
          <br>
              ABC[2]: IKEv2 SPIs: dbd89039dce34530_i*
          c205c6cc199e40b9_r, pre-shared key reauthentication in 6 hours<br>
          <br>
              ABC[2]: IKE proposal:
          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br>
          <br>
              ABC{17}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
          c069ca3b_i 677c60a0_o<br>
          <br>
              ABC{17}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048,
          70685706 bytes_i (67965 pkts, 0s ago), 15688776 bytes_o (43835
          pkts, 0s ago), rekeying in 35 minutes<br>
          <br>
              ABC{17}:   <a href="http://0.0.0.0/0"
            moz-do-not-send="true">0.0.0.0/0</a> === <a
            href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a><br>
          <br>
              ABC{18}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
          ccde01ee_i 1bea569d_o<br>
          <br>
              ABC{18}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 8469388
          bytes_i (9394 pkts, 0s ago), 5230408 bytes_o (8191 pkts, 0s
          ago), rekeying in 47 minutes<br>
          <br>
              ABC{18}:   <a href="http://0.0.0.0/0"
            moz-do-not-send="true">0.0.0.0/0</a> === <a
            href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a><br>
          <br>
          3) IPSec config<br>
          <br>
          <br>
          <br>
          cat /etc/ipsec.conf <br>
          <br>
          <br>
          <br>
          config setup<br>
          <br>
              charondebug="ike 1, knl 0, cfg 0"<br>
          <br>
          conn ABC <br>
          <br>
              authby=secret<br>
          <br>
               auto=route<br>
          <br>
               dpddelay=10<br>
          <br>
               dpdtimeout=30<br>
          <br>
               dpdaction=restart<br>
          <br>
               esp=aes256-sha256-modp2048<br>
          <br>
               ike=aes256-sha256-modp2048<br>
          <br>
               ikelifetime=28800s<br>
          <br>
               lifetime=1h<br>
          <br>
               keyexchange=ikev2<br>
          <br>
               keyingtries=%forever<br>
          <br>
               rekey=yes<br>
          <br>
               margintime=9m<br>
          <br>
               # Specifics<br>
          <br>
               left=our_ip            # Local private ip<br>
          <br>
               leftsubnet=<a href="http://0.0.0.0/0"
            moz-do-not-send="true">0.0.0.0/0</a>   # Local VPC Subnet<br>
          <br>
               leftid=our_ip<br>
          <br>
               leftfirewall=yes<br>
          <br>
               rightfirewall=no<br>
          <br>
               right=cust_ip       # Remote Tunnel IP<br>
          <br>
               rightid=%any<br>
          <br>
               rightsubnet=<a href="http://0.0.0.0/0"
            moz-do-not-send="true">0.0.0.0/0</a> # Remote VPC Subnet<br>
          <br>
               type=tunnel<br>
          <br>
               mark=1000<br>
          <br>
          <br>
          <br>
          4)<br>
          <br>
          Charon config<br>
          <br>
          cat /etc/strongswan.d/charon.conf <br>
          <br>
          # Options for the charon IKE daemon.<br>
          <br>
          # Do not install routes, otherwise you'll need to  'ip route
          del table 220 default' for VTI routing to work<br>
          <br>
          charon {<br>
          <br>
                   install_routes = no<br>
          <br>
                   install_virtual_ip = no<br>
          <br>
                   make_before_break = yes<br>
          <br>
                   delete_rekeyed_delay = 10<br>
          <br>
          }<br>
          <br>
          <br>
        </div>
        <div>Are there any special configs that will not disrupt the
          data payload traffic during the ikev2 rekeying ?</div>
        <div><br>
        </div>
        <div>Best,</div>
        <div>Vick<br>
        </div>
        <div><br>
          <br>
          <br>
          <br>
          <br>
          <br>
          <br>
        </div>
      </div>
    </blockquote>
    <pre class="moz-signature" cols="72">--
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison</pre>
  </body>
</html>