[strongSwan] Rekeying fails

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Jun 27 10:36:21 CEST 2013 

Hello, all.  I am using Linux strongSwan U4.5.2/K3.2.0-23-generic on
Ubuntu 12.04 to protect GRE tunnels containing OSPF among other things
using transport mode with certificates.  There are two bare metal
instances running from our data centers and two EC2 instances in
Amazon's cloud (which must use nat traversal).  It makes no difference
in that all the sessions fail to rekey - data center to data center and
data center to cloud.  The connections are successfully established when
ipsec starts but simply fail to rekey.

I can see the rekey attempts but they fail:

Jun 26 12:30:35 gw8-2 charon: 10[IKE] queueing IKE_REAUTH task
Jun 26 12:30:35 gw8-2 charon: 10[IKE] activating new tasks 
Jun 26 12:30:35 gw8-2 charon: 10[IKE]   activating IKE_REAUTH task
Jun 26 12:30:35 gw8-2 charon: 10[IKE] deleting IKE_SA gw16-32[2] between x.x.219.226[CN=datacentergw, OU=VPN, DC=mycompany, DC=com]...y.y.140.68[CN=cloudgw, OU=VPN, DC=mycompany . . 
Jun 26 12:30:35 gw8-2 charon: 10[IKE] IKE_SA gw16-32[2] state change: ESTABLISHED => DELETING
Jun 26 12:30:35 gw8-2 charon: 10[IKE] sending DELETE for IKE_SA gw16-32[2]
Jun 26 12:30:35 gw8-2 charon: 10[ENC] generating INFORMATIONAL request 1122 [ D ]
Jun 26 12:30:35 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
Jun 26 12:30:35 gw8-2 charon: 12[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
Jun 26 12:30:35 gw8-2 charon: 12[ENC] parsed INFORMATIONAL response 1122 [ ]
Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA deleted
Jun 26 12:30:35 gw8-2 charon: 12[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA gw16-32[2] state change: DELETING => DESTROYING

I've tried disabling mobike.  I've tried setting dpdaction=restart and
hold.  I've tried setting reauth=no.

Here is a typical configuration:
config setup
        plutodebug=all
        charondebug="ike 4"
        nat_traversal=yes
        charonstart=yes
        plutostart=yes

conn %default
        left=x.x.219.226 # Do NOT use %default route as that may change with OSPF
        leftrsasigkey=%cert
        leftcert=cert1.pem
        leftid="CN=datacentergw,OU=VPN,DC=mycompany,DC=com"
        keyingtries=20
        authby=rsasig
        rightrsasigkey=%cert
        keylife=60m
        rekeymargin=5m
        ikelifetime=3h
        reauth=no
        mobike=no
        auto=ignore


include /etc/ipsec.d/remotenets/*.conf


conn gw16-48
        right=y.y.137.197
        rightid="CN=cloudgw,OU=VPN,DC=mycompany,DC=com"
        also=gre
        auto=start

conn gre
        type=transport
        leftprotoport=47
        rightprotoport=47
        dpddelay=9
        dpdtimeout=30
        #dpdaction=restart
        compress=yes

What am I doing wrong? Thanks - John

More information about the Users mailing list