[strongSwan] Windows 7 seems to drop connection when rekeying main mode SA's
hkbakke at gmail.com
Tue Jan 10 15:07:44 CET 2012
I have a setup with Strongswan on a VPN-server/firewall with Windows 7
based roadwarriors using the agile client.
After disabling rekeying for Windows 7 connection I got rid of most of
the reconnects caused by rekeying the SAs, but I still have one
annoying connection interruption left.
With about 3 hour intervals the connection drops before automatically
3 hours is the default IKE SA lifetime in strongswan but I don't know
if it's active when rekeying is off (ipsec statusall confirms this).
In Windows it seems to be 8 hours i all the setting screens (IKE SA =
main mode SA in Windows 7 if I understand things correctly)
But for some reason IP Security Monitor on Windows 7 reports 10800s as
main mode SA lifetime. Even if I change ikelifetime on the Strongswan
server to i.e 8 or 12h it is still 3h.
Now, the problem isn't really the 3h interval, it's that all the
connections drop for a while until reconnect. I want a 100% permanent
connection like I get to native Linux/strongswan clients (as long as
reauth is off)
I have several theories:
1. Windows 7 always causes disconnects when renegotiating main mode
SAs, i.e it always do a full reauth, but the rather slow detection of
connection loss seems to indicate that just a reauth is the case here
2. Windows 7 operates with 8h lifetime regardless off the 10800s
lifetime, and Strongswan always uses 3h when rekey is off. When the
IKE SA times out on Strongswan, the connection drop and Windows
detects this after a while and restart the connection
3. Strongswan doesn't handle the IKE SA renegotiating from Windows 7 correctly
4. The problem isn't related to renegotiating at all, but only to the
SA timing out.
I also wonder where the 10800s Main Mode SA lifetime comes from,
regardless of ikelifetime and rekey on/off.
I also have several Debian/Strongswan-servers connected as
roadwarriors (they are behind NAT, and one server is on the same
network/line as the Windows 7 client) and they seem to be working
flawlessly without any interruptions in connectivity.
When using OpenVPN as a drop in replacement for Agile/Strongswan
between the client and VPN-gateway the connection is 100% stable for
days without SSH-sessions dropping. In other words I know the issue is
IPSec related (could of course be firewall, but I don't know how that
could happen) and not network related.
How can I configure things to get a 100% connected Windows 7 ->
My configuration file:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
# Add connections here.
rightid="C=NO, ST=Oppland, O=marsboer.net, OU=Backup server,
rightid="C=NO, ST=Oppland, O=marsboer.net, OU=Roadwarriors,
rightid="C=NO, ST=Oppland, O=marsboer.net, OU=VPN fileserver,
The Windows 7 side is configured according to the Strongswan
instructions with IKEv2 and mobility activated (5 minutes network
More information about the Users