[strongSwan] Windows 7 connection dies after a few minutes, but the client never notices

Micah R Ledbetter micah at doublelinepartners.com
Wed Sep 11 20:24:52 CEST 2013


Hello,

I'm having a problem with Windows 7 clients where the connection dies
after a few minutes. The server notices and drops it, but the client
thinks it's still connected (even though it can no longer talk to the
remote network).

The logs do this:

    20130911-174604 06[KNL] received a XFRM_MSG_MAPPING
    20130911-174604 06[KNL] NAT mappings of ESP CHILD_SA with SPI
c593df3b and reqid {1} changed, queuing update job
    20130911-174604 02[MGR] checkout IKE_SA by ID
    20130911-174604 02[MGR] IKE_SA employees-win7[1] successfully checked out
    20130911-174604 02[MGR] checkin IKE_SA employees-win7[1]
    20130911-174604 02[MGR] check-in of IKE_SA successful.
    20130911-174615 07[JOB] got event, queuing job for execution
    20130911-174615 07[JOB] next event in 7s 144ms, waiting
    20130911-174615 01[MGR] checkout IKE_SA
    20130911-174615 01[MGR] IKE_SA employees-win7[1] successfully checked out
    20130911-174615 01[IKE] giving up after 5 retransmits
    20130911-174615 01[CHD] running updown script: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='down-client'
PLUTO_CONNECTION='employees-win7' PLUTO_INTERFACE='eth0'
PLUTO_REQID='1' PLUTO_ME='172.16.1.15' PLUTO_MY_ID='vpn.doubleline.us'
PLUTO_MY_CLIENT='172.16.0.0/17' PLUTO_MY_CLIENT_NET='172.16.0.0'
PLUTO_MY_CLIENT_MASK='17' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='24.173.214.18' PLUTO_PEER_ID='192.168.1.229'
PLUTO_PEER_CLIENT='10.128.0.1/32' PLUTO_PEER_CLIENT_NET='10.128.0.1'
PLUTO_PEER_CLIENT_MASK='32' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_UDP_ENC='4500' ipsec _updown iptables
    20130911-174616 01[IKE] unable to reestablish IKE_SA due to asymmetric setup
    20130911-174616 01[MGR] checkin and destroy IKE_SA employees-win7[1]
    20130911-174616 01[IKE] IKE_SA employees-win7[1] state change:
ESTABLISHED => DESTROYING
    20130911-174616 01[KNL] deleting SAD entry with SPI c593df3b

So it has a working "checkout" and "checkin" cycle at 17:46:04, but
then by 17:46:15 something has failed, it retransmits the "checkout" 5
times with no response, and ends the connection.

This timing problem is not consistent. I have been connected for
almost an hour before it started happening, but nine times out of ten,
it happens between 8 and 10 minutes in. If the client is constantly
talking to the remote network (even just doing a `ping -t` on
Windows), I don't have this problem.

This is ipsec.conf:

    config setup
        plutostart=no

    conn employees-win7
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=30s
        rekey=no
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        left=172.16.1.15
        leftsubnet=172.16.0.0/17
        leftfirewall=yes
        leftauth=pubkey
        leftcert=vpn.example.com.crt.pem
        leftid=vpn.example.com
        right=%any
        rightsourceip=10.128.0.0/20
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add


And this is strongswan.conf:

    charon {
        threads = 16
        dns1 = 172.16.3.246
        filelog {
            /var/log/charon_debug.log {
                append = no
                default = 4
                flush_line = yes
                time_format = %Y%m%d-%H%M%S
            }
        }
    }

The client is configured exactly as recommended on the wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapConfig

The client is running Windows 7 Pro with all updates applied. The
server OS is Ubuntu 12.04.3 LTS with all updates applied, and `ipsec
version` reports "Linux strongSwan U4.5.2/K3.2.0-52-virtual".

I've tried changing a couple of things (`dbdaction=restart`,
`reauth=no`, `dpddelay=60m`) without a change in this behavior. I've
also tried making the settings exactly the same as on this page to no
effect: http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

I also found a mailing list post with this same "unable to reestablish
IKE_SA due to asymmetric setup" message from a few months ago, but it
didn't have any replies:
https://lists.strongswan.org/pipermail/users/2013-May/009185.html

I would greatly appreciate any help. Thanks.

- Micah




More information about the Users mailing list