[strongSwan] IPsec SAs closed unexpectedly

Mihai Maties mihai at xcyb.org
Thu Oct 24 17:43:57 CEST 2013 

Hi,

I am trying to replace a Juniper device with strongSwan and migrate a few
hundred IPsec tunnels in the process. The good thing is that all tunnels
are ikev1/net2net_psk, the bad thing is that I don't control the other
peers. This makes any troubleshooting process more cumbersome.

One issue that I noticed so far, is that while on Juniper the tunnels seem
stable (i.e. rekeying occurs only when the SAs are about to expire), on
strongSwan some tunnels go down after a short while. According to the logs,
the other peer is actually triggering the deletion of SAs.

This is an example:

Oct 24 07:41:27 28[IKE] <S_vpn-1|809> initiating Main Mode IKE_SA
S_vpn-1[809] to 10.20.0.1
Oct 24 07:41:27 26[IKE] <S_vpn-1|809> IKE_SA S_vpn-1[809] established
between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:41:27 26[IKE] <S_vpn-1|809> scheduling reauthentication in 27948s
Oct 24 07:41:27 26[IKE] <S_vpn-1|809> maximum IKE_SA lifetime 28488s
Oct 24 07:41:27 25[IKE] <S_vpn-1|809> CHILD_SA S_vpn-1{153} established
with SPIs c0f44f62_i 60289f75_o and TS 10.10.0.2/32 === 10.20.0.2/21

Oct 24 07:43:12 23[IKE] <S_vpn-1|809> received DELETE for IKE_SA
S_vpn-1[809]
Oct 24 07:43:12 23[IKE] <S_vpn-1|809> deleting IKE_SA S_vpn-1[809] between
10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:43:12 23[CFG] <S_vpn-1|809> updating already routed CHILD_SA
'S_vpn-1'
Oct 24 07:43:12 28[IKE] <S_vpn-1|816> initiating Main Mode IKE_SA
S_vpn-1[816] to 10.20.0.1
Oct 24 07:43:12 08[IKE] <S_vpn-1|816> IKE_SA S_vpn-1[816] established
between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:43:12 08[IKE] <S_vpn-1|816> scheduling reauthentication in 27962s
Oct 24 07:43:12 08[IKE] <S_vpn-1|816> maximum IKE_SA lifetime 28502s
Oct 24 07:43:13 09[IKE] <S_vpn-1|816> CHILD_SA S_vpn-1{153} established
with SPIs cbe76271_i 60d13627_o and TS 10.10.0.2/32 === 10.20.0.2/21
Oct 24 07:43:13 03[IKE] <S_vpn-1|816> received DELETE for ESP CHILD_SA with
SPI 60ce40b5
Oct 24 07:43:13 03[IKE] <S_vpn-1|816> CHILD_SA not found, ignored
Oct 24 07:43:13 12[IKE] <S_vpn-1|816> received DELETE for ESP CHILD_SA with
SPI c927b3db
Oct 24 07:43:13 12[IKE] <S_vpn-1|816> CHILD_SA not found, ignored

Oct 24 07:47:12 25[IKE] <S_vpn-1|816> received DELETE for IKE_SA
S_vpn-1[816]
Oct 24 07:47:12 25[IKE] <S_vpn-1|816> deleting IKE_SA S_vpn-1[816] between
10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:47:12 25[CFG] <S_vpn-1|816> updating already routed CHILD_SA
'S_vpn-1'
Oct 24 07:47:12 30[IKE] <S_vpn-1|826> initiating Main Mode IKE_SA
S_vpn-1[826] to 10.20.0.1
Oct 24 07:47:12 15[IKE] <S_vpn-1|826> IKE_SA S_vpn-1[826] established
between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:47:12 15[IKE] <S_vpn-1|826> scheduling reauthentication in 28076s
Oct 24 07:47:12 15[IKE] <S_vpn-1|826> maximum IKE_SA lifetime 28616s
Oct 24 07:47:13 10[IKE] <S_vpn-1|826> CHILD_SA S_vpn-1{153} established
with SPIs c5196008_i 602513e1_o and TS 10.10.0.2/32 === 10.20.0.2/21
Oct 24 07:47:13 31[IKE] <S_vpn-1|826> received DELETE for ESP CHILD_SA with
SPI 60289f75
Oct 24 07:47:13 31[IKE] <S_vpn-1|826> CHILD_SA not found, ignored
Oct 24 07:47:13 20[IKE] <S_vpn-1|826> received DELETE for ESP CHILD_SA with
SPI c0f44f62
Oct 24 07:47:13 20[IKE] <S_vpn-1|826> CHILD_SA not found, ignored

Oct 24 07:51:12 19[IKE] <S_vpn-1|826> received DELETE for IKE_SA
S_vpn-1[826]
Oct 24 07:51:12 19[IKE] <S_vpn-1|826> deleting IKE_SA S_vpn-1[826] between
10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:51:12 19[CFG] <S_vpn-1|826> updating already routed CHILD_SA
'S_vpn-1'
Oct 24 07:51:12 13[IKE] <S_vpn-1|839> initiating Main Mode IKE_SA
S_vpn-1[839] to 10.20.0.1
Oct 24 07:51:13 21[IKE] <S_vpn-1|839> IKE_SA S_vpn-1[839] established
between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:51:13 21[IKE] <S_vpn-1|839> scheduling reauthentication in 28193s
Oct 24 07:51:13 21[IKE] <S_vpn-1|839> maximum IKE_SA lifetime 28733s
Oct 24 07:51:13 20[IKE] <S_vpn-1|839> CHILD_SA S_vpn-1{153} established
with SPIs c8652dc7_i 60461e53_o and TS 10.10.0.2/32 === 10.20.0.2/21
Oct 24 07:51:13 12[IKE] <S_vpn-1|839> received DELETE for ESP CHILD_SA with
SPI 60d13627
Oct 24 07:51:13 12[IKE] <S_vpn-1|839> CHILD_SA not found, ignored
Oct 24 07:51:13 09[IKE] <S_vpn-1|839> received DELETE for ESP CHILD_SA with
SPI cbe76271
Oct 24 07:51:13 09[IKE] <S_vpn-1|839> CHILD_SA not found, ignored

Oct 24 07:55:12 15[IKE] <S_vpn-1|839> received DELETE for IKE_SA
S_vpn-1[839]
Oct 24 07:55:12 15[IKE] <S_vpn-1|839> deleting IKE_SA S_vpn-1[839] between
10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:55:12 15[CFG] <S_vpn-1|839> updating already routed CHILD_SA
'S_vpn-1'
Oct 24 07:55:12 16[IKE] <S_vpn-1|852> initiating Main Mode IKE_SA
S_vpn-1[852] to 10.20.0.1
Oct 24 07:55:13 25[IKE] <S_vpn-1|852> IKE_SA S_vpn-1[852] established
between 10.10.0.1[10.10.0.1]...10.20.0.1[10.20.0.1]
Oct 24 07:55:13 25[IKE] <S_vpn-1|852> scheduling reauthentication in 28122s
Oct 24 07:55:13 25[IKE] <S_vpn-1|852> maximum IKE_SA lifetime 28662s
Oct 24 07:55:13 17[IKE] <S_vpn-1|852> CHILD_SA S_vpn-1{153} established
with SPIs c1129c4d_i 60be2ecd_o and TS 10.10.0.2/32 === 10.20.0.2/21
Oct 24 07:55:13 30[IKE] <S_vpn-1|852> received DELETE for ESP CHILD_SA with
SPI 602513e1
Oct 24 07:55:13 30[IKE] <S_vpn-1|852> CHILD_SA not found, ignored
Oct 24 07:55:13 16[IKE] <S_vpn-1|852> received DELETE for ESP CHILD_SA with
SPI c5196008
Oct 24 07:55:13 16[IKE] <S_vpn-1|852> CHILD_SA not found, ignored

A more verbose log can be found at http://xcyb.org/S_vpn-1_debug.txt.

During this time I was testing the tunnel with ICMP echo/reply every 100ms.
Every time new SAs are established I lose about 8 packets.

Why is this happening and how can I change this?

The config applied for this particular vpn is:

    config setup
            uniqueids=yes

    conn %default
            rekeymargin=9m
            keyingtries=%forever
            keyexchange=ikev1
            authby=secret
            left=10.10.0.1
            leftsubnet=10.10.0.2/32
            auto=start
            inactivity=1d

    conn S_vpn-1
        right = 10.20.0.1
        rightsubnet = 10.20.0.2/21
        ike = 3des-sha1-modp1024
        ikelifetime = 28800
        esp = 3des-sha1
        keylife = 3600
        closeaction=restart


Best regards,
Mihai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131024/7d164fbf/attachment.html>

More information about the Users mailing list