<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi George,</p>
<p>"Make-before-break: This method first creates duplicates of the
IKE and all IPsec SAs overlapping with the existing ones and then
deletes the old ones. This avoids interruptions but requires that
both peers can handle overlapping SAs (e.g. in regards to virtual
IPs, duplicate policies or updown scripts). It is supported for
IKEv2 since 5.3.0 but is disabled by default and may be enabled
with the charon.make_before_break strongswan.conf setting." and
more useful information at
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey">https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey</a></p>
<p><br>
</p>
<div class="moz-cite-prefix">On 08.12.2020 18:25, george live wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANKhjqPetyUzmzx6d0i6L6zxGTT2W-8+1Ok0_CghB+w2+K40bQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Hi,</div>
<div>I have strongswan running ikev2 on aws peering with a cisco
asa. The tunnel comes up fine but the problem is whenever the
rekeying happens, I see the data traffic coming down. I have
bgp running over IPsec and the tcp reset happens whenever the
reset happens. Is there any known issue with Strongswan that
causes this problem?</div>
<div><br>
</div>
<div>Below are some of the traces:</div>
<div><br>
</div>
<div>Logs showing the rekeying<br>
<br>
======================<br>
<br>
1)<br>
<br>
cat /var/log/messages | grep 'restarting CHILD_SA'<br>
<br>
Dec 8 <span style="background-color:rgb(255,0,0)">14:55:40</span>
xxyy charon: 08[IKE] restarting CHILD_SA ABC<br>
<br>
Dec 8 <span style="background-color:rgb(255,0,0)">14:55:40</span>
xxyy charon: 08[IKE] restarting CHILD_SA ABC<br>
<br>
<br>
<br>
2)<br>
<br>
Bgp output showing reset at same time and this is very
consistent every 28800 secs<br>
<br>
<br>
<br>
bird> show protocols<br>
<br>
name proto table state since info<br>
<br>
ABC_BGP BGP master up <span
style="background-color:rgb(255,0,0)">14:55:50</span>
Established <br>
<br>
bird><br>
<br>
<br>
<br>
2)<br>
<br>
ipsec statusall<br>
<br>
no files found matching '/etc/strongswan.conf'<br>
<br>
Status of IKE charon daemon (strongSwan 5.5.3, Linux
4.4.0-116-generic, x86_64):<br>
<br>
uptime: 9 hours, since Dec 08 07:13:17 2020<br>
<br>
malloc: sbrk 2416640, mmap 0, used 456256, free 1960384<br>
<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 4<br>
<br>
loaded plugins: charon aes des rc2 sha2 sha1 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac
hmac attr kernel-netlink resolve socket-default stroke vici
updown xauth-generic<br>
<br>
Listening IP addresses:<br>
<br>
169.254.254.2<br>
<br>
a.b.c.d<br>
<br>
xx.yy.xx.yy<br>
<br>
Connections:<br>
<br>
ABC: our_ip...customer_ip IKEv2, dpddelay=10s<br>
<br>
ABC: local: [our_ip] uses pre-shared key authentication<br>
<br>
ABC: remote: uses pre-shared key authentication<br>
<br>
ABC: child: <a href="http://0.0.0.0/0"
moz-do-not-send="true">0.0.0.0/0</a> === <a
href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a>
TUNNEL, dpdaction=restart<br>
<br>
Routed Connections:<br>
<br>
ABC{1}: ROUTED, TUNNEL, reqid 1<br>
<br>
ABC{1}: <a href="http://0.0.0.0/0"
moz-do-not-send="true">0.0.0.0/0</a> === <a
href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a><br>
<br>
Security Associations (1 up, 0 connecting):<br>
<br>
ABC[2]: ESTABLISHED <span
style="background-color:rgb(255,0,0)">100 minutes ago</span>,
<br>
<br>
our_ip[our_ip]...cust_ip[cust_ip]<br>
<br>
ABC[2]: IKEv2 SPIs: dbd89039dce34530_i*
c205c6cc199e40b9_r, pre-shared key reauthentication in 6 hours<br>
<br>
ABC[2]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br>
<br>
ABC{17}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c069ca3b_i 677c60a0_o<br>
<br>
ABC{17}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048,
70685706 bytes_i (67965 pkts, 0s ago), 15688776 bytes_o (43835
pkts, 0s ago), rekeying in 35 minutes<br>
<br>
ABC{17}: <a href="http://0.0.0.0/0"
moz-do-not-send="true">0.0.0.0/0</a> === <a
href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a><br>
<br>
ABC{18}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
ccde01ee_i 1bea569d_o<br>
<br>
ABC{18}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 8469388
bytes_i (9394 pkts, 0s ago), 5230408 bytes_o (8191 pkts, 0s
ago), rekeying in 47 minutes<br>
<br>
ABC{18}: <a href="http://0.0.0.0/0"
moz-do-not-send="true">0.0.0.0/0</a> === <a
href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a><br>
<br>
3) IPSec config<br>
<br>
<br>
<br>
cat /etc/ipsec.conf <br>
<br>
<br>
<br>
config setup<br>
<br>
charondebug="ike 1, knl 0, cfg 0"<br>
<br>
conn ABC <br>
<br>
authby=secret<br>
<br>
auto=route<br>
<br>
dpddelay=10<br>
<br>
dpdtimeout=30<br>
<br>
dpdaction=restart<br>
<br>
esp=aes256-sha256-modp2048<br>
<br>
ike=aes256-sha256-modp2048<br>
<br>
ikelifetime=28800s<br>
<br>
lifetime=1h<br>
<br>
keyexchange=ikev2<br>
<br>
keyingtries=%forever<br>
<br>
rekey=yes<br>
<br>
margintime=9m<br>
<br>
# Specifics<br>
<br>
left=our_ip # Local private ip<br>
<br>
leftsubnet=<a href="http://0.0.0.0/0"
moz-do-not-send="true">0.0.0.0/0</a> # Local VPC Subnet<br>
<br>
leftid=our_ip<br>
<br>
leftfirewall=yes<br>
<br>
rightfirewall=no<br>
<br>
right=cust_ip # Remote Tunnel IP<br>
<br>
rightid=%any<br>
<br>
rightsubnet=<a href="http://0.0.0.0/0"
moz-do-not-send="true">0.0.0.0/0</a> # Remote VPC Subnet<br>
<br>
type=tunnel<br>
<br>
mark=1000<br>
<br>
<br>
<br>
4)<br>
<br>
Charon config<br>
<br>
cat /etc/strongswan.d/charon.conf <br>
<br>
# Options for the charon IKE daemon.<br>
<br>
# Do not install routes, otherwise you'll need to 'ip route
del table 220 default' for VTI routing to work<br>
<br>
charon {<br>
<br>
install_routes = no<br>
<br>
install_virtual_ip = no<br>
<br>
make_before_break = yes<br>
<br>
delete_rekeyed_delay = 10<br>
<br>
}<br>
<br>
<br>
</div>
<div>Are there any special configs that will not disrupt the
data payload traffic during the ikev2 rekeying ?</div>
<div><br>
</div>
<div>Best,</div>
<div>Vick<br>
</div>
<div><br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>