[strongSwan] site-to-site vpn tunnel drops exactly every 6 hours : StrongSwan <-> Cisco ASA

Mon Sep 16 03:45:25 CEST 2013

Below is the strongSwan config which I have complete control over:
conn school-tunnel02
    type=tunnel
    auto=start
    keyexchange=ikev1
    ikelifetime=25h
    #keylife=480m
    # 28800s = 8h
    #lifetime=28800s
    lifetime=86400s
    #margintime=19m
    ## commented above line and added below line - 20130909 - Izz
    rekey=no
    # above line setting rekey=no had no affect on 6 hour timeout of tunnel
    #dpdaction=restart
    #dpddelay=30s
    authby=secret
    auth=esp
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    left=10.10.100.221
    leftid=wepa
    leftsubnet=10.10.100.0/24
    leftfirewall=yes
    right=XXX.YYY.2.20
    rightid=XXX.YYY.2.20
    rightsubnet=XXX.YYY.43.0/24

I have requested the admin on the other end of the tunnel to change the lifetime to 24h which they have done, and it made no difference.  The tunnel is dropping at exactly every 6 hours.  Here are the logs from the drop time:

Sep 15 16:34:02 bhm-ipsec-221 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received FRAGMENTATION vendor ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] XXX.YYY.2.20 is initiating a Main Mode IKE_SA
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (132 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (304 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[ENC] parsed ID_PROT request 0 [ KE No V V V V NAT-D NAT-D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[IKE] local host is behind NAT, sending keep alives
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (244 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (84 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[ENC] parsed ID_PROT request 0 [ ID HASH V ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[CFG] looking for pre-shared key peer configs matching 10.10.100.221...XXX.YYY.2.20[XXX.YYY.2.20]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[CFG] selected peer config "school-tunnel02"
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] deleting duplicate IKE_SA for peer 'XXX.YYY.2.20' due to uniqueness policy
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] deleting IKE_SA school-tunnel02[144] between 10.10.100.221[wepa]...XXX.YYY.2.20[XXX.YYY.2.20]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] sending DELETE for IKE_SA school-tunnel02[144]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[ENC] generating INFORMATIONAL_V1 request 3554893475 [ HASH D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (84 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] IKE_SA school-tunnel02[152] established between 10.10.100.221[wepa]...XXX.YYY.2.20[XXX.YYY.2.20]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[ENC] generating ID_PROT response 0 [ ID HASH ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[NET] sending packet: from 10.10.100.221[4500] to XXX.YYY.2.20[4500] (68 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (68 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3654723502 [ HASH D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI aadc2798
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[IKE] closing CHILD_SA school-tunnel02{22} with SPIs c1777483_i (12096 bytes) aadc2798_o (15552 bytes) and TS 10.10.100.0/24 === XXX.YYY.43.0/24
Sep 15 16:34:02 bhm-ipsec-221 vpn: - XXX.YYY.2.20 XXX.YYY.43.0/24 == XXX.YYY.2.20 -- 10.10.100.221 == 10.10.100.0/24
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[NET] received packet: from XXX.YYY.2.20[4500] to 10.10.100.221[4500] (84 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[ENC] parsed INFORMATIONAL_V1 request 2406045800 [ HASH D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[IKE] received DELETE for IKE_SA school-tunnel02[152]
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[IKE] deleting IKE_SA school-tunnel02[152] between 10.10.100.221[wepa]...XXX.YYY.2.20[XXX.YYY.2.20]

I am running CentOS 6.4 x86_64 with kernel 2.6.32 and strongSwan 5.0.4 from the EPEL repo from CentOS.  (this is not a compile from source)
Here is the output of 'strongswan version':
Linux strongSwan U5.0.4/K2.6.32-358.14.1.el6.x86_64

I have two strongSwan instances setup between the same box and another in Amazon AWS Cloud for site-to-site to our DR, and the tunnel never goes down.  Traffic passes through this problematic tunnel as it should and everything is great until 6 hours passes.  I have configured a bash script that runs on a */1 minute cron to check the tunnel and if it is down it brings the tunnel back up and emails me.  This is how I have been able to keep timestamps.  As you can see in the logs, it appears to be a renego that goes wrong, but all within the same 1 second.  My cronjob picks it up at 16:35 in the above case, sees the tunnel down, runs a strongswan up school-tunnel02 and mails me the output of the command, showing success.  This continues each and every 6 hours like clockwork.

I appreciate any input.  I can probably find the configs sent to me by the admin on the other end with the Cisco ASA, but I can assure you the initial tunnel lifetime was set to 8 hours (28,800s), so I am having problem believing the ASA is doing this, even after a change to 86,400s.

Ideas please?

Thanks,
Izz

Izz Abdullah
Senior Systems Engineer
Izz.Abdullah at wepanow.com<mailto:izz.abdullah at wepanow.com>
www.wepanow.com<http://www.wepanow.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130916/e2985b5e/attachment.html>