[strongSwan] Traffic Pauses to IKEv1 VPN with Juniper ISG 1000

Mahesh Neelakanta neelakanta at gmail.com
Sun Dec 13 17:06:06 CET 2015 

Hi,
 I  have a Strongswan VPN server that is being used to terminate VPN
connections with multiple endpoints. Most of the existing endpoints are
cisco, sophos, etc. Recently I have a Juniper ISG 1000 endpoint that is
posing some intermittent traffic problems.

The exact issue is that traffic over the VPN pauses after some (random)
time. The tunnel itself is up and at the next rekey traffic starts flowing
again. If I reduce the re-key time from 3600s down to 600s, the problem is
reduced significantly. I did verify with the remote side that their keylife
is 3600s. We do not have DPD enabled. There is constant traffic so there
are no periods of inactivity.

During the periods where traffic pauses, ipsec statusall report shows no
more packets in bytes_i (whereas bytes_o is still increasing).

Here is the config on our end (IPs and subnets have been changed for
security):

config setup
   uniqueids = no
   charondebug = ike 2

conn %default
   keyingtries=%forever
   dpdaction=none

conn vpn-juniper-prd
        left=%defaultroute
        leftid=42.75.5.14 # Our actual local IP is  10.20.1.18, we are
NATed going out
        leftsubnet=5.22.11.21/32
        right=168.42.68.5
        rightid=168.42.68.5
        rightsubnet=12.23.0.0/16
        keyexchange=ikev1
        ikelifetime=28800s
        ike=aes128-sha1-modp1024
        esp=aes128-sha1-modp1024
        keylife=3600m
        type=tunnel
        compress=no
        authby=secret
        auto=start

Notice that the last "bytes_i" shows 145s ago (ipsec statusall output):

vpn-juniper-prd:  %any...168.42.68.5  IKEv1
vpn-juniper-prd:   local:  [42.75.5.14] uses pre-shared key authentication
vpn-juniper-prd:   remote: [168.42.68.5] uses pre-shared key authentication
vpn-juniper-prd:   child:  5.22.11.21/32 === 12.23.0.0/16 TUNNEL
vpn-juniper-prd[1]: ESTABLISHED 110 minutes ago,
10.20.1.18[42.75.5.14]...168.42.68.5[168.42.68.5]
vpn-juniper-prd[1]: IKEv1 SPIs: a8ed9dd3b567a578_i* 97dbd6dbb3683aa4_r,
pre-shared key reauthentication in 5 hours
vpn-juniper-prd[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vpn-juniper-prd{44}:  REKEYED, TUNNEL, reqid 4, expires in 10 minutes
vpn-juniper-prd{44}:   5.22.11.21/32 === 12.23.0.0/16
vpn-juniper-prd{52}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: c3fdc693_i
9d90fe7f_o
vpn-juniper-prd{52}:  AES_CBC_128/HMAC_SHA1_96, 24197112 bytes_i *(26366
pkts, 145s ago*), 8889197 bytes_o (31780 pkts, 0s ago), rekeying in 10
minutes
vpn-juniper-prd{52}:   5.22.11.21/32 === 12.23.0.0/16

During that time, we still see packets going in/out via the eth0 interface :

03:38:52.349565 IP 10.20.1.18 > 168.42.68.5:
ESP(spi=0x9d90fe7f,seq=0x7c0f), length 132
03:38:52.363916 IP 168.42.68.5 > 10.20.1.18:
ESP(spi=0xc3fdc693,seq=0x5cd3), length 132
03:38:52.548261 IP 168.42.68.5 > 10.20.1.18:
ESP(spi=0xc3fdc693,seq=0x5cd4), length 100
03:38:52.564198 IP 168.42.68.5 > 10.20.1.18:
ESP(spi=0xc3fdc693,seq=0x5cd5), length 100
03:38:53.357693 IP 10.20.1.18 > 168.42.68.5:
ESP(spi=0x9d90fe7f,seq=0x7c10), length 132
03:38:53.371666 IP 168.42.68.5 > 10.20.1.18:
ESP(spi=0xc3fdc693,seq=0x5cd6), length 132
03:38:54.365616 IP 10.20.1.18 > 168.42.68.5:
ESP(spi=0x9d90fe7f,seq=0x7c11), length 132
03:38:54.379533 IP 168.42.68.5 > 10.20.1.18:
ESP(spi=0xc3fdc693,seq=0x5cd7), length 132
03:38:55.250707 IP 168.42.68.5 > 10.20.1.18:
ESP(spi=0xc3fdc693,seq=0x5cd8), length 100
03:38:55.373593 IP 10.20.1.18 > 168.42.68.5:
ESP(spi=0x9d90fe7f,seq=0x7c12), length 132
03:38:55.387695 IP 168.42.68.5 > 10.20.1.18:
ESP(spi=0xc3fdc693,seq=0x5cd9), length 132


thanks,
mahesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151213/69bc1afe/attachment.html>

More information about the Users mailing list