[strongSwan] Windows 7 seems to drop connection when rekeying main mode SA's
Hans-Kristian Bakke
hkbakke at gmail.com
Tue Jan 10 15:07:44 CET 2012
Hi
I have a setup with Strongswan on a VPN-server/firewall with Windows 7
based roadwarriors using the agile client.
After disabling rekeying for Windows 7 connection I got rid of most of
the reconnects caused by rekeying the SAs, but I still have one
annoying connection interruption left.
With about 3 hour intervals the connection drops before automatically
reconnecting.
3 hours is the default IKE SA lifetime in strongswan but I don't know
if it's active when rekeying is off (ipsec statusall confirms this).
In Windows it seems to be 8 hours i all the setting screens (IKE SA =
main mode SA in Windows 7 if I understand things correctly)
But for some reason IP Security Monitor on Windows 7 reports 10800s as
main mode SA lifetime. Even if I change ikelifetime on the Strongswan
server to i.e 8 or 12h it is still 3h.
Now, the problem isn't really the 3h interval, it's that all the
connections drop for a while until reconnect. I want a 100% permanent
connection like I get to native Linux/strongswan clients (as long as
reauth is off)
I have several theories:
1. Windows 7 always causes disconnects when renegotiating main mode
SAs, i.e it always do a full reauth, but the rather slow detection of
connection loss seems to indicate that just a reauth is the case here
2. Windows 7 operates with 8h lifetime regardless off the 10800s
lifetime, and Strongswan always uses 3h when rekey is off. When the
IKE SA times out on Strongswan, the connection drop and Windows
detects this after a while and restart the connection
3. Strongswan doesn't handle the IKE SA renegotiating from Windows 7 correctly
4. The problem isn't related to renegotiating at all, but only to the
SA timing out.
I also wonder where the 10800s Main Mode SA lifetime comes from,
regardless of ikelifetime and rekey on/off.
I also have several Debian/Strongswan-servers connected as
roadwarriors (they are behind NAT, and one server is on the same
network/line as the Windows 7 client) and they seem to be working
flawlessly without any interruptions in connectivity.
When using OpenVPN as a drop in replacement for Agile/Strongswan
between the client and VPN-gateway the connection is 100% stable for
days without SSH-sessions dropping. In other words I know the issue is
IPSec related (could of course be firewall, but I don't know how that
could happen) and not network related.
My question:
How can I configure things to get a 100% connected Windows 7 ->
Strongswan setup?
My configuration file:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charonstart=yes
plutostart=no
# Add connections here.
conn %default
keyexchange=ikev2
auth=esp
authby=pubkey
mobike=yes
leftauth=pubkey
left=%defaultroute
leftcert=vpn-serverCert.pem
leftfirewall=no
leftsubnet=0.0.0.0/0
reauth=no
type=tunnel
dpdaction=clear
dpddelay=300s
conn rw-uranus
right=%any
rightsourceip=10.0.1.2
rightid="C=NO, ST=Oppland, O=marsboer.net, OU=Backup server,
CN=uranus.marsboer.net"
auto=add
ike=aes256-aesxcbc-ecp521
esp=aes256gcm16-ecp521
conn windows-7
right=%any
rightsourceip=10.0.1.3
rightid="C=NO, ST=Oppland, O=marsboer.net, OU=Roadwarriors,
CN=rw01.marsboer.net"
auto=add
ike=aes256-sha1-modp1024
esp=aes256-sha1
rekey=no
conn rw-europa
right=%any
rightsourceip=10.0.1.4
rightid="C=NO, ST=Oppland, O=marsboer.net, OU=VPN fileserver,
CN=europa.marsboer.net"
auto=add
ike=aes256-aesxcbc-ecp521
esp=aes256gcm16-ecp521
The Windows 7 side is configured according to the Strongswan
instructions with IKEv2 and mobility activated (5 minutes network
outage time)
Regards,
Hans-Kristian Bakke
More information about the Users
mailing list