[strongSwan] Windows 7 connection dies after a few minutes, but the client never notices
Micah R Ledbetter
micah at doublelinepartners.com
Wed Sep 11 20:24:52 CEST 2013
Hello,
I'm having a problem with Windows 7 clients where the connection dies
after a few minutes. The server notices and drops it, but the client
thinks it's still connected (even though it can no longer talk to the
remote network).
The logs do this:
20130911-174604 06[KNL] received a XFRM_MSG_MAPPING
20130911-174604 06[KNL] NAT mappings of ESP CHILD_SA with SPI
c593df3b and reqid {1} changed, queuing update job
20130911-174604 02[MGR] checkout IKE_SA by ID
20130911-174604 02[MGR] IKE_SA employees-win7[1] successfully checked out
20130911-174604 02[MGR] checkin IKE_SA employees-win7[1]
20130911-174604 02[MGR] check-in of IKE_SA successful.
20130911-174615 07[JOB] got event, queuing job for execution
20130911-174615 07[JOB] next event in 7s 144ms, waiting
20130911-174615 01[MGR] checkout IKE_SA
20130911-174615 01[MGR] IKE_SA employees-win7[1] successfully checked out
20130911-174615 01[IKE] giving up after 5 retransmits
20130911-174615 01[CHD] running updown script: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='down-client'
PLUTO_CONNECTION='employees-win7' PLUTO_INTERFACE='eth0'
PLUTO_REQID='1' PLUTO_ME='172.16.1.15' PLUTO_MY_ID='vpn.doubleline.us'
PLUTO_MY_CLIENT='172.16.0.0/17' PLUTO_MY_CLIENT_NET='172.16.0.0'
PLUTO_MY_CLIENT_MASK='17' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='24.173.214.18' PLUTO_PEER_ID='192.168.1.229'
PLUTO_PEER_CLIENT='10.128.0.1/32' PLUTO_PEER_CLIENT_NET='10.128.0.1'
PLUTO_PEER_CLIENT_MASK='32' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_UDP_ENC='4500' ipsec _updown iptables
20130911-174616 01[IKE] unable to reestablish IKE_SA due to asymmetric setup
20130911-174616 01[MGR] checkin and destroy IKE_SA employees-win7[1]
20130911-174616 01[IKE] IKE_SA employees-win7[1] state change:
ESTABLISHED => DESTROYING
20130911-174616 01[KNL] deleting SAD entry with SPI c593df3b
So it has a working "checkout" and "checkin" cycle at 17:46:04, but
then by 17:46:15 something has failed, it retransmits the "checkout" 5
times with no response, and ends the connection.
This timing problem is not consistent. I have been connected for
almost an hour before it started happening, but nine times out of ten,
it happens between 8 and 10 minutes in. If the client is constantly
talking to the remote network (even just doing a `ping -t` on
Windows), I don't have this problem.
This is ipsec.conf:
config setup
plutostart=no
conn employees-win7
keyexchange=ikev2
dpdaction=clear
dpddelay=30s
rekey=no
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
left=172.16.1.15
leftsubnet=172.16.0.0/17
leftfirewall=yes
leftauth=pubkey
leftcert=vpn.example.com.crt.pem
leftid=vpn.example.com
right=%any
rightsourceip=10.128.0.0/20
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
And this is strongswan.conf:
charon {
threads = 16
dns1 = 172.16.3.246
filelog {
/var/log/charon_debug.log {
append = no
default = 4
flush_line = yes
time_format = %Y%m%d-%H%M%S
}
}
}
The client is configured exactly as recommended on the wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapConfig
The client is running Windows 7 Pro with all updates applied. The
server OS is Ubuntu 12.04.3 LTS with all updates applied, and `ipsec
version` reports "Linux strongSwan U4.5.2/K3.2.0-52-virtual".
I've tried changing a couple of things (`dbdaction=restart`,
`reauth=no`, `dpddelay=60m`) without a change in this behavior. I've
also tried making the settings exactly the same as on this page to no
effect: http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
I also found a mailing list post with this same "unable to reestablish
IKE_SA due to asymmetric setup" message from a few months ago, but it
didn't have any replies:
https://lists.strongswan.org/pipermail/users/2013-May/009185.html
I would greatly appreciate any help. Thanks.
- Micah
More information about the Users
mailing list