[strongSwan] Deleting Connection during reauthentication - IKE_SA

Izz Abdullah izz.abdullah at wepanow.com
Mon Sep 9 18:18:08 CEST 2013 

This is a continuation of issue #317 on the wiki.  I have posted the same there but without any help.  I was hoping there is a solution which I have been unable to find.
I am running strongSwan 5.0.2 on CentOS and with an ASA on the other end, experience what appears to be the connection deleting itself during the re-auth stage.  Below are the logs where I am losing my tunnel like clockwork exactly every 6 hours (I have sanitized the public IP address):

 Aug 30 14:58:40 bhm-ipsec-221 charon: 14[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (168 bytes)
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V ]
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[IKE] received FRAGMENTATION vendor ID
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[IKE] XXX.YYY.2.20 is initiating a Main Mode IKE_SA
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[ENC] generating ID_PROT response 0 [ SA V V V ]
  Aug 30 14:58:40 bhm-ipsec-221 charon: 14[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (132 bytes)
  Aug 30 14:58:40 bhm-ipsec-221 charon: 11[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (304 bytes)
  Aug 30 14:58:40 bhm-ipsec-221 charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V V V NAT-D NAT-D ]
  Aug 30 14:58:40 bhm-ipsec-221 charon: 11[IKE] local host is behind NAT, sending keep alives
  Aug 30 14:58:40 bhm-ipsec-221 charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
  Aug 30 14:58:40 bhm-ipsec-221 charon: 11[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (244 bytes)
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (84 bytes)
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH V ]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[CFG] looking for pre-shared key peer configs matching 10.10.100.221...XXX.YYY.2.20[XXX.YYY.2.20]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[CFG] selected peer config "secret-tunnel02"
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[IKE] deleting duplicate IKE_SA for peer 'XXX.YYY.2.20' due to uniqueness policy
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[IKE] deleting IKE_SA secret-tunnel02[2] between 10.10.100.221[company]...XXX.YYY.2.20[XXX.YYY.2.20]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[IKE] sending DELETE for IKE_SA sending-tunnel02[2]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[ENC] generating INFORMATIONAL_V1 request 1385282457 [ HASH D ]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (84 bytes)
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[IKE] IKE_SA secret-tunnel02[10] established between 10.10.100.221[company]...XXX.YYY.2.20[XXX.YYY.2.20]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[IKE] scheduling reauthentication in 27872s
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[IKE] maximum IKE_SA lifetime 28412s
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[IKE] DPD not supported by peer, disabled
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 12[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (68 bytes)
  Aug 30 14:58:41 bhm-ipsec-221 charon: 15[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (68 bytes)
  Aug 30 14:58:41 bhm-ipsec-221 charon: 15[ENC] parsed INFORMATIONAL_V1 request 3803765251 [ HASH D ]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI c95b03dd
  Aug 30 14:58:41 bhm-ipsec-221 charon: 15[IKE] closing CHILD_SA secret-tunnel02{2} with SPIs c7a16268_i (13652 bytes) c95b03dd_o (17544 bytes) and TS 10.10.100.0/24 === XXX.YYY.43.0/24
  Aug 30 14:58:41 bhm-ipsec-221 vpn: - XXX.YYY.2.20 XXX.YYY.43.0/24 == XXX.YYY.2.20 -- 10.10.100.221 == 10.10.100.0/24
  Aug 30 14:58:41 bhm-ipsec-221 charon: 09[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (84 bytes)
  Aug 30 14:58:41 bhm-ipsec-221 charon: 09[ENC] parsed INFORMATIONAL_V1 request 958391242 [ HASH D ]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 09[IKE] received DELETE for IKE_SA secret-tunnel02[10]
  Aug 30 14:58:41 bhm-ipsec-221 charon: 09[IKE] deleting IKE_SA secret-tunnel02[10] between 10.10.100.221[company]...XXX.YYY.2.20[XXX.YYY.2.20]




I appreciate any and all input.

Thanks,
Izz



Izz Abdullah
Senior Systems Engineer
www.wepanow.com<http://www.wepanow.com>

[cid:part1.00060501.08010500 at wepanow.com]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130909/3f14c81f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wepa_logo.png
Type: image/png
Size: 3158 bytes
Desc: wepa_logo.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130909/3f14c81f/attachment.png>

More information about the Users mailing list