<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB">Hello everyone,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">I’m having trouble with my roadwarrior VPNs. They are Windows 10 devices on the other end, using the native windows VPN client and i have figured out that Windows issues a rekey automatically around the 8th hour mark.That
for some reason, is something strongswan does not like and the VPN is dropped so the client needs to reconnect manually.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">I don’t have the logs for that but i can get them tomorrow most likely but i think i know what might be wrong here. As i understand, Windows does issue a re-authentication for Phase1 at the 8th hour mark. Maybe my algorithms
at my strongswan side do not match what windows is trying with? How could I change that if that is the case?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Now, i tried to issue the rekey from the server side, by lowering ikelifetime to 360m from 1440m. See full config below<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">conn VPN_x_xxxx<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> keyexchange=ikev2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> ike=aes256-sha1-modp1024,aes256-sha256-modp2048!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> esp=aes256-sha1,aes256-sha256-modp2048!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> left=yyy.yyy.yyy.yyy<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftsubnet=0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftauth=pubkey<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftcert=service-VPN-ldgateway.pem.rsa<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftid="C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com"><span style="color:#0563C1">E=xx@xx.com</span></a>"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> right=%any<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightdns=192.168.0.1,192.168.0.2,192.168.111.254<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightsourceip=172.26.232.0/24<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightgroups=<a href="mailto:xxxx@xx.com"><span style="color:#0563C1">xxxx@xx.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightauth=eap-radius<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> eap_identity=%identity<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> auto=add<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> ikelifetime=360m<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> lifetime=1h<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rekey=yes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> margintime=3m<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> keyingtries=5<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rekeyfuzz=100%<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> inactivity=2h<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> dpddelay=20s<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> dpdtimeout=120s<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> dpdaction=clear<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">But this does not work either, i get the following at the 6 hour mark, on reauth attempt -><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 06[IKE] initiator did not reauthenticate as requested<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 06[IKE] IKE_SA VPN_x_xxxx[71277] will timeout in 3 minutes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[IKE] deleting IKE_SA VPN_x_xxxx[71277] between yyy.yyy.yyy.yyy[C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com"><span style="color:#0563C1">E=xx@xx.com</span></a>]..<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">.xxx.xxx.xxx.xxx[192.168.0.49]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[IKE] sending DELETE for IKE_SA VPN_x_xxxx[71277]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[ENC] generating INFORMATIONAL request 27 [ D ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[NET] received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[ENC] parsed INFORMATIONAL response 27 [ ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[IKE] IKE_SA deleted<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[CFG] lease 172.26.232.7 by 'DOMAIN\user1' went offline<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Now, if i issue <b>ipsec stroke rekey</b>, i think, reauth goes through. What is the difference? See below after manually issuing a stroke rekey -><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[CFG] received stroke: rekey 'VPN_x_xxxx[71705]'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 08[IKE] initiating IKE_SA VPN_x_xxxx[71709] to xxx.xxx.xxx.xxx<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 08[ENC] generating CREATE_CHILD_SA request 0 [ SA No KE ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 08[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (348 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (316 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[ENC] parsed CREATE_CHILD_SA response 0 [ SA KE No ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] scheduling reauthentication in 21275s<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] maximum IKE_SA lifetime 21455s<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] IKE_SA VPN_x_xxxx[71709] rekeyed between yyy.yyy.yyy.yyy[C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50"><span style="color:#0563C1">E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50</span></a>]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] rescheduling reauthentication in 15789s after rekeying, lifetime reduced to 15969s<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] deleting IKE_SA VPN_x_xxxx[71705] between yyy.yyy.yyy.yyy[C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50"><span style="color:#0563C1">E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50</span></a>]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] sending DELETE for IKE_SA VPN_x_xxxx[71705]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[ENC] generating INFORMATIONAL request 1 [ D ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 13[NET] received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 13[ENC] parsed INFORMATIONAL response 1 [ ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 13[IKE] IKE_SA deleted<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Thank you.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Spyro<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>