<div dir="ltr">Hi <span style="white-space:pre-wrap">Volodymyr,</span><div><span style="white-space:pre-wrap">I disabled reauth and that fixed the problem.</span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">Thanks,</span></div><div><span style="white-space:pre-wrap">George</span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 8, 2020 at 8:25 AM george live <<a href="mailto:georgelive2020@gmail.com">georgelive2020@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi,</div><div>I have strongswan running ikev2 on aws peering with a cisco asa. The tunnel comes up fine but the problem is whenever the rekeying happens, I see the data traffic coming down. I have bgp running over IPsec and the tcp reset happens whenever the reset happens. Is there any known issue with Strongswan that causes this problem?</div><div><br></div><div>Below are some of the traces:</div><div><br></div><div>Logs showing the rekeying<br><br>======================<br><br>1)<br><br>cat /var/log/messages | grep 'restarting CHILD_SA'<br><br>Dec 8 <span style="background-color:rgb(255,0,0)">14:55:40</span> xxyy charon: 08[IKE] restarting CHILD_SA ABC<br><br>Dec 8 <span style="background-color:rgb(255,0,0)">14:55:40</span> xxyy charon: 08[IKE] restarting CHILD_SA ABC<br><br><br><br>2)<br><br>Bgp output showing reset at same time and this is very consistent every 28800 secs<br><br><br><br>bird> show protocols<br><br>name proto table state since info<br><br>ABC_BGP BGP master up <span style="background-color:rgb(255,0,0)">14:55:50</span> Established <br><br>bird><br><br><br><br>2)<br><br>ipsec statusall<br><br>no files found matching '/etc/strongswan.conf'<br><br>Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.0-116-generic, x86_64):<br><br> uptime: 9 hours, since Dec 08 07:13:17 2020<br><br> malloc: sbrk 2416640, mmap 0, used 456256, free 1960384<br><br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<br><br> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic<br><br>Listening IP addresses:<br><br> 169.254.254.2<br><br> a.b.c.d<br><br> xx.yy.xx.yy<br><br>Connections:<br><br> ABC: our_ip...customer_ip IKEv2, dpddelay=10s<br><br> ABC: local: [our_ip] uses pre-shared key authentication<br><br> ABC: remote: uses pre-shared key authentication<br><br> ABC: child: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> TUNNEL, dpdaction=restart<br><br>Routed Connections:<br><br> ABC{1}: ROUTED, TUNNEL, reqid 1<br><br> ABC{1}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br><br>Security Associations (1 up, 0 connecting):<br><br> ABC[2]: ESTABLISHED <span style="background-color:rgb(255,0,0)">100 minutes ago</span>, <br><br>our_ip[our_ip]...cust_ip[cust_ip]<br><br> ABC[2]: IKEv2 SPIs: dbd89039dce34530_i* c205c6cc199e40b9_r, pre-shared key reauthentication in 6 hours<br><br> ABC[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br><br> ABC{17}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c069ca3b_i 677c60a0_o<br><br> ABC{17}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 70685706 bytes_i (67965 pkts, 0s ago), 15688776 bytes_o (43835 pkts, 0s ago), rekeying in 35 minutes<br><br> ABC{17}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br><br> ABC{18}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccde01ee_i 1bea569d_o<br><br> ABC{18}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 8469388 bytes_i (9394 pkts, 0s ago), 5230408 bytes_o (8191 pkts, 0s ago), rekeying in 47 minutes<br><br> ABC{18}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br><br>3) IPSec config<br><br><br><br>cat /etc/ipsec.conf <br><br><br><br>config setup<br><br> charondebug="ike 1, knl 0, cfg 0"<br><br>conn ABC <br><br> authby=secret<br><br> auto=route<br><br> dpddelay=10<br><br> dpdtimeout=30<br><br> dpdaction=restart<br><br> esp=aes256-sha256-modp2048<br><br> ike=aes256-sha256-modp2048<br><br> ikelifetime=28800s<br><br> lifetime=1h<br><br> keyexchange=ikev2<br><br> keyingtries=%forever<br><br> rekey=yes<br><br> margintime=9m<br><br> # Specifics<br><br> left=our_ip # Local private ip<br><br> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> # Local VPC Subnet<br><br> leftid=our_ip<br><br> leftfirewall=yes<br><br> rightfirewall=no<br><br> right=cust_ip # Remote Tunnel IP<br><br> rightid=%any<br><br> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> # Remote VPC Subnet<br><br> type=tunnel<br><br> mark=1000<br><br><br><br>4)<br><br>Charon config<br><br>cat /etc/strongswan.d/charon.conf <br><br># Options for the charon IKE daemon.<br><br># Do not install routes, otherwise you'll need to 'ip route del table 220 default' for VTI routing to work<br><br>charon {<br><br> install_routes = no<br><br> install_virtual_ip = no<br><br> make_before_break = yes<br><br> delete_rekeyed_delay = 10<br><br>}<br><br><br></div><div>Are there any special configs that will not disrupt the data payload traffic during the ikev2 rekeying ?</div><div><br></div><div>Best,</div><div>Vick<br></div><div><br><br><br><br><br><br><br></div></div>
</blockquote></div>