<div dir="ltr">Hi<div><br></div><div>Looks like the windows-native clients are behind nat-routers. And also somewhere its documented (in strongswan-wiki) windows-ikev2-clients especially behind nat-routers (meaning tunnel with NAT-T) do not respond or misbehave when the vpn-server initiates a rekey</div><div><br></div><div>Ofcourse as you have already mentioned, the windows-ikeve clients have their fixed lifetime of 8hrs, etc at which they initiate the rekeys</div><div><br></div><div>Now to avoid the problems associated with rekeying by windows-ikev2 clients, i am generally configuring the strongswan-vpn-server as below:</div><div><br></div><div><br>For Split-Tunnel:<br>---------------------<br>conn WindowsAndroidClients_wEAP<br> left=<your-public-internet-ipaddr-here><br> right=%any<br> leftsubnet=<a href="http://192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,192.168.50.0/24">192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,192.168.50.0/24</a><br> rightsourceip=10.181.12.101-10.181.12.120<br> ikelifetime=28800s<br> lifetime=3600s<br> rekey=no<br> reauth=no<br> dpddelay=40<br> dpdtimeout=120<br> dpdaction=clear<br> modeconfig=pull<br> ike=aes256-sha1-modp1024!<br> esp=aes256-sha1!<br> keyexchange=ikev2<br> leftauth=pubkey<br> rightauth=eap-radius<br> eap_identity=%any<br> leftsendcert=always<br> rightsendcert=never<br> leftid=<a href="http://vpnserver.dyndns.org">vpnserver.dyndns.org</a><br> rightid=%any<br> leftcert=/etc/ssl/certs/vpnserverCert.pem<br> auto=add<br><br>Or for FULL-Tunnel<br>-------------------<br><br>conn WindowsAndroidClients_wEAP<br> left=<your-public-internet-ipaddr-here><br> right=%any<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> rightsourceip=10.181.12.101-10.181.12.120<br> ikelifetime=86400s<br> lifetime=43200s<br> rekey=no<br> reauth=no<br> dpddelay=40<br> dpdtimeout=120<br> dpdaction=clear<br> modeconfig=pull<br> ike=aes256-sha1-modp1024!<br> esp=aes256-sha1!<br> keyexchange=ikev2<br> leftauth=pubkey<br> rightauth=eap-radius<br> eap_identity=%any<br> leftsendcert=always<br> rightsendcert=never<br> leftid=<a href="http://vpnserver.dyndns.org">vpnserver.dyndns.org</a><br> rightid=%any<br> leftcert=/etc/ssl/certs/vpnserverCert.pem<br> auto=add<br> <br>-------------------------------------------------------<br><br></div><div>The key points to note in the config above is:</div><div>1. The IKE-SA and Child-SA lifetimes on the VPN-Server only is set to High</div><div><br></div><div>2. And to avoid the server from initiating the rekeying altogether, iam using the option "rekey=no". This does not prevent the server from responding to rekey-requests from the remote-clients and goes thru the rekeying process without any issues (when initiated from the clients themselves...who are generally behind nat-routers invariably)</div><div><br></div><div>3. And lastly to avoid proposal-mismatches, iam setting the algorithms on the vpn-server as given above, and will accept ONLY these proposal for IKEv2 and ESP</div><div><br></div><div><br></div><div>Try the above, and hopefully it should solve your issue. Also try to visit the strongswan-wiki site and read thru the info on issues/caveats/config-info for Windows-Native-IKEv2 clients with Strongswan-server, There are a number of points that are important to know. There is one section for MacOS/iOS-IKEv2 clients too...</div><div><br></div><div>hope this helps</div><div><br></div><div>thanks & regards</div><div>Rajiv</div><div><br></div><div><br></div><div><br></div><div><br></div><div> </div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jan 15, 2022 at 1:37 AM Chris Sherry <<a href="mailto:smilinjoe@gmail.com">smilinjoe@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Ed,<div><br></div><div>I had this issue awhile back. Using the native Windows client to connect Fortigate firewalls. We found that with the default Windows proposal, the client was re-keying with different ciphers than the original. We found two ways around this, change the phase1 keylifetime to 7 hours, or update the proposal sent by the client. I am hunting for that command line to share.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 14, 2022 at 8:49 AM Ed Hunter <<a href="mailto:edhunterr@outlook.com" target="_blank">edhunterr@outlook.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div>
<p class="MsoNormal"><span lang="EN-GB">Hello everyone,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">I’m having trouble with my roadwarrior VPNs. They are Windows 10 devices on the other end, using the native windows VPN client and i have figured out that Windows issues a rekey automatically around the 8th hour mark.That
for some reason, is something strongswan does not like and the VPN is dropped so the client needs to reconnect manually.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">I don’t have the logs for that but i can get them tomorrow most likely but i think i know what might be wrong here. As i understand, Windows does issue a re-authentication for Phase1 at the 8th hour mark. Maybe my algorithms
at my strongswan side do not match what windows is trying with? How could I change that if that is the case?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">Now, i tried to issue the rekey from the server side, by lowering ikelifetime to 360m from 1440m. See full config below<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">conn VPN_x_xxxx<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> keyexchange=ikev2<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> ike=aes256-sha1-modp1024,aes256-sha256-modp2048!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> esp=aes256-sha1,aes256-sha256-modp2048!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> left=yyy.yyy.yyy.yyy<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftauth=pubkey<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftcert=service-VPN-ldgateway.pem.rsa<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> leftid="C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com" target="_blank"><span style="color:rgb(5,99,193)">E=xx@xx.com</span></a>"<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> right=%any<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightdns=192.168.0.1,192.168.0.2,192.168.111.254<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightsourceip=<a href="http://172.26.232.0/24" target="_blank">172.26.232.0/24</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightgroups=<a href="mailto:xxxx@xx.com" target="_blank"><span style="color:rgb(5,99,193)">xxxx@xx.com</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rightauth=eap-radius<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> eap_identity=%identity<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> auto=add<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> ikelifetime=360m<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> lifetime=1h<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rekey=yes<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> margintime=3m<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> keyingtries=5<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rekeyfuzz=100%<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> inactivity=2h<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> dpddelay=20s<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> dpdtimeout=120s<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"> dpdaction=clear<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">But this does not work either, i get the following at the 6 hour mark, on reauth attempt -><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 06[IKE] initiator did not reauthenticate as requested<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 06[IKE] IKE_SA VPN_x_xxxx[71277] will timeout in 3 minutes<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[IKE] deleting IKE_SA VPN_x_xxxx[71277] between yyy.yyy.yyy.yyy[C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com" target="_blank"><span style="color:rgb(5,99,193)">E=xx@xx.com</span></a>]..<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">.xxx.xxx.xxx.xxx[192.168.0.49]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[IKE] sending DELETE for IKE_SA VPN_x_xxxx[71277]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[ENC] generating INFORMATIONAL request 27 [ D ]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[NET] received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (76 bytes)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[ENC] parsed INFORMATIONAL response 27 [ ]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[IKE] IKE_SA deleted<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 04[CFG] lease 172.26.232.7 by 'DOMAIN\user1' went offline<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">Now, if i issue <b>ipsec stroke rekey</b>, i think, reauth goes through. What is the difference? See below after manually issuing a stroke rekey -><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 14[CFG] received stroke: rekey 'VPN_x_xxxx[71705]'<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 08[IKE] initiating IKE_SA VPN_x_xxxx[71709] to xxx.xxx.xxx.xxx<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 08[ENC] generating CREATE_CHILD_SA request 0 [ SA No KE ]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 08[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (348 bytes)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (316 bytes)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[ENC] parsed CREATE_CHILD_SA response 0 [ SA KE No ]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] scheduling reauthentication in 21275s<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] maximum IKE_SA lifetime 21455s<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] IKE_SA VPN_x_xxxx[71709] rekeyed between yyy.yyy.yyy.yyy[C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50" target="_blank"><span style="color:rgb(5,99,193)">E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50</span></a>]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] rescheduling reauthentication in 15789s after rekeying, lifetime reduced to 15969s<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] deleting IKE_SA VPN_x_xxxx[71705] between yyy.yyy.yyy.yyy[C=XX, ST=xxxx, L=xxxx, O=xxxxxxxxxxxx, OU=xx, CN=xxx.xxx.xxx,
<a href="mailto:E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50" target="_blank"><span style="color:rgb(5,99,193)">E=xx@xx.com]...xxx.xxx.xxx.xxx[192.168.0.50</span></a>]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[IKE] sending DELETE for IKE_SA VPN_x_xxxx[71705]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[ENC] generating INFORMATIONAL request 1 [ D ]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 15[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 13[NET] received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (76 bytes)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 13[ENC] parsed INFORMATIONAL response 1 [ ]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">charon: 13[IKE] IKE_SA deleted<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">Thank you.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">Spyro<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</blockquote></div>
</blockquote></div>