[strongSwan] Strongswan 5.1.0 Connection rekeying every 30secs

Bruno Linhares bruno at databras.com.br
Mon Nov 4 21:08:51 CET 2013


 

Hi. 

What would it be the problem with an ipsec setup witch
constantly rekey (every 30 seconds)? 

One side is a debian strongswan
5.1.0 and the other is a cisco device. 

At the log I have, among other
lines: 

Nov 4 17:39:48 vpnipsec charon: 16[IKE] IKE_SA dtbcisco[1]
established between LEFT_IP[LEFT_ID]...RIGHT_IP[RIGHT_ID]
...
Nov 4
17:39:48 vpnipsec charon: 16[IKE] scheduling reauthentication in
14397s
Nov 4 17:39:48 vpnipsec charon: 16[IKE] maximum IKE_SA lifetime
14400s
...
Nov 4 17:39:48 vpnipsec charon: 11[ENC] parsed QUICK_MODE
request 2783151246 [ HASH SA No ID ID ]
Nov 4 17:39:48 vpnipsec charon:
11[IKE] received 4608000000 lifebytes, configured 0
...
Nov 4 17:39:48
vpnipsec charon: 09[IKE] CHILD_SA dtbcisco{1} established with SPIs
c49c75de_i 9488c540_o and TS LEFTSUBNET_IP === RIGHTSUBNET_IP 
Nov 4
17:39:48 vpnipsec vpn: + RIGHT_ID %any/0 == RIGHT_IP -- LEFT_IP ==
LEFTSUBNET_IP 

At this point, the tunnel is up and the traffic flows
ok. Then, about 30 seconds later: 

Nov 4 17:40:12 vpnipsec charon:
09[IKE] sending keep alive to RIGHT_IP[4500]
Nov 4 17:40:18 vpnipsec
charon: 15[NET] received packet: from RIGHT_IP[4500] to LEFT_IP[4500]
(172 bytes)
Nov 4 17:40:18 vpnipsec charon: 15[ENC] parsed QUICK_MODE
request 2321010703 [ HASH SA No ID ID ]
Nov 4 17:40:18 vpnipsec charon:
15[IKE] received 4608000000 lifebytes, configured 0
Nov 4 17:40:18
vpnipsec charon: 15[IKE] detected rekeying of CHILD_SA
dtbcisco{1}
...
Nov 4 17:40:18 vpnipsec charon: 13[IKE] CHILD_SA
dtbcisco{1} established with SPIs ca63057c_i 4bdfb1b8_o and TS
LEFTSUBNET_IP === RIGHTSUBNET_IP 
Nov 4 17:40:18 vpnipsec charon:
14[NET] received packet: from RIGHT_IP[4500] to LEFT_IP[4500] (76
bytes)
Nov 4 17:40:18 vpnipsec charon: 14[ENC] parsed INFORMATIONAL_V1
request 1304793497 [ HASH D ]
Nov 4 17:40:18 vpnipsec charon: 14[IKE]
received DELETE for ESP CHILD_SA with SPI ac38214d
Nov 4 17:40:18
vpnipsec charon: 14[IKE] CHILD_SA not found, ignored 

Then, another 30
seconds later: 

Nov 4 17:40:42 vpnipsec charon: 07[IKE] sending keep
alive to RIGHT_IP[4500]
Nov 4 17:40:48 vpnipsec charon: 11[NET] received
packet: from RIGHT_IP[4500] to LEFT_IP[4500] (84 bytes)
Nov 4 17:40:48
vpnipsec charon: 11[ENC] parsed INFORMATIONAL_V1 request 231368514 [
HASH D ]
Nov 4 17:40:48 vpnipsec charon: 11[IKE] received DELETE for
IKE_SA dtbcisco[1]
Nov 4 17:40:48 vpnipsec charon: 11[IKE] deleting
IKE_SA dtbcisco[1] between LEFT_IP[LEFT_ID]...RIGHT_IP[RIGHT_ID]
Nov 4
17:40:48 vpnipsec vpn: - RIGHT_ID %any/0 == RIGHT_IP -- LEFT_IP ==
LEFTSUBNET_IP
Nov 4 17:40:48 vpnipsec charon: 11[CHD] updown: iptables:
Bad rule (does a matching rule exist in that chain?).
Nov 4 17:40:48
vpnipsec charon: 11[CHD] updown: iptables: Bad rule (does a matching
rule exist in that chain?).
Nov 4 17:40:48 vpnipsec vpn: - RIGHT_ID
%any/0 == RIGHT_IP -- LEFT_IP == LEFTSUBNET_IP 

One minute later and
the cicle starts over. 

I've tried to setup lifebytes=4608000000 but it
didn't make difference.
I've tried dpddelay=0 and even dpdaction=none,
also without success. Tried inactivity=0 too. 

Could it be a cisco
misbehavior? 

Thanks for the attention. 

-- 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131104/2aa141bb/attachment.html>


More information about the Users mailing list