[strongSwan] Rekeying not working to bintec R3000

Stefan Bauer stefan.bauer at cubewerk.de
Thu Nov 8 08:44:25 CET 2012 

Dear Developers/Users,

first of all - thank you for your software - it's awesome and serves quite well for several hundred customers at our site every day.

We're using Linux strongSwan U4.5.1/K2.6.26-2-686f
At customer site Bintec R3000 version V.7.9 Rev. 5 (Patch 4) IPSec from 2010/12/21 00:00:00

To the customer with a bintec router we have the problem, that after the phase2 Lifetime is expired, no rekeeying is successful hence the tunnel is down. This is happening at around 8 hours all the time.

Not only a ipsec down & ipsec up is restarting the tunnel. We have to do the following:

add auto=ignore to the connection
ipsec update
remove the auto=ignore
ipsec update

and only now we're able to bring up the tunnel.

Please find attached the configuration from both sides:

bintec: Phase1

   Description (Idx 2) :    support
   Proposal              :  6 (DES3/SHA1)
   Lifetime Policy       :  Propose this lifetime, accept and use all proposals
                            Seconds: 28800       KBytes: 50000
   Group                 :  2 (1024 bit MODP)
   Authentication Method :  Pre Shared Keys
   Mode                  :  id_protect
   Alive Check           :  none
   Block Time            :  -1
   Local ID              :  customer-ip
   Local Certificate     :  none
   CA Certificates       :
   Nat-Traversal         :  enabled


bintec: Phase2

   Description (Idx 1) :    support

   Proposal              :  7 (ESP(DES3/SHA1) no Comp)
   Lifetime Policy       :  Propose this lifetime, accept and use all proposals
                            Seconds: 28800       KBytes: 50000
   Use PFS               :  group 2 (1024 bit MODP)
   Alive Check           :  none
   Propagate PMTU        :  no


Strongswan:

config setup
        nat_traversal=yes
        charonstart=yes
        plutostart=yes
        plutodebug=control
        plutostderrlog=/var/log/strongswan/pluto.log
        charondebug=control
        strictcrlpolicy=no

#Default Settings
conn %default
        type=tunnel
        left=our-pub-ip
        leftnexthop=gw
        leftsubnet=our-localnet
        leftid=our-id
        keyexchange=ikev1
        authby=secret
        ike=aes256-sha1-modp1024
        ikelifetime=8h #28800 secs
        rekeymargin=3m
        keyingtries=1
        auth=esp
        esp=aes256-sha1
        keylife=1h #3600secs
        pfs=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        compress=no
        mobike=no
        auto=start


conn customer
        right=customer-pub-id
        rightid=customer-id
        rightsubnet=network1/23
        esp=3des-sha1
        ike=3des-sha1-modp1024
        keylife=28800

conn customer
        right=customer-pub-id
        rightid=customer-id
        rightsubnet=network2/24
        esp=3des-sha1
        ike=3des-sha1-modp1024
        keylife=28800


It would be great to get some input as this is driving us nuts.
Any help is greatly appreciated.


Kind regards

Stefan Bauer

More information about the Users mailing list