[strongSwan-dev] IKEv1 rekey issue

Manju Prabhu manjunath.mp at gmail.com
Tue Dec 11 01:41:50 CET 2018


Hi,
I am using IKEv1 with a short IKE rekey timer (300seconds) between 2 peers
(IP1 and IP2). Both peers run Charon. The IPsec key timer is 3000 seconds.

After a few rekeys, when IP1 receives a rekey request for IP2 and around
the same time, it also initiates the rekey request because it's rekey timer
expired. After this, the tunnel on IP1 is without any CHILD_SA, Looks like
before the migration of the CHILD_SA from IKE(I1, R1) to IKE (I2, R2),
there was a delete request that IP1 received and it deleted both IKE and
IPsec SAs.

Before the issue:
------------------------
vm5:/var/log# ip netns exec 1 swanctl -l
ipsec1_1: #101, ESTABLISHED, IKEv1, d754d3f7ca8134a4_i* 8d1c18fd9b44b175_r
  local  '10.1.15.15' @ 10.1.15.15[4500]
  remote '10.1.16.16' @ 10.1.16.16[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096
  established 2s ago, rekeying in 275s
ipsec1_1: #100, ESTABLISHED, IKEv1, 02274de15189fff6_i eed26f429eea8a8b_r*
  local  '10.1.15.15' @ 10.1.15.15[4500]
  remote '10.1.16.16' @ 10.1.16.16[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096
  established 7s ago, rekeying in 290s
  child_ipsec1_1: #4, reqid 4, INSTALLED, TUNNEL-in-UDP,
ESP:NULL/HMAC_SHA1_96/MODP_4096
    installed 1134s ago, rekeying in 2150s, expires in 2827s
    in  00000103,    750 bytes,     5 packets,  8538s ago
    out 00000803,    750 bytes,     5 packets,  1133s ago
    local  0.0.0.0/0
    remote 0.0.0.0/0
ipsec1_1: #99, REKEYING, IKEv1, 9dab5305ef607f15_i 750c99560388ed50_r*
  local  '10.1.15.15' @ 10.1.15.15[4500]
  remote '10.1.16.16' @ 10.1.16.16[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096
vm5:/var/log#
vm5:/var/log#
vm5:/var/log#
vm5:/var/log#
After the issue
--------------------
vm5:/var/log# ip netns exec 1 swanctl -l
ipsec1_1: #101, ESTABLISHED, IKEv1, d754d3f7ca8134a4_i* 8d1c18fd9b44b175_r
  local  '10.1.15.15' @ 10.1.15.15[4500]
  remote '10.1.16.16' @ 10.1.16.16[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096
  established 13s ago, rekeying in 264s

The system does not recover from this state. Attached logs from both IP1
and IP2.

Thanks,
Manju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20181210/36b31a33/attachment.html>


More information about the Dev mailing list