[strongSwan] Cisco IOS flexvpn client with sVTI, create child SA every minute.

Igor j at owind.com
Mon Jul 6 15:40:17 CEST 2015 

Hi list,

I'm using Strongswan 5.3.2 and CSR 1000v 3.14, got a flexvpn client
with sVTI tunnel interface, but it keeps creating child SA every 60s,
like below. Any suggestion? Thanks.

P.S. The logs from several different test cases.

Strongswan log:

Jul  6 20:27:38 08[NET] received packet: from x.x.x.x.x[500] to
y.y.y.y[500] (256 bytes)

Jul  6 20:27:38 08[ENC] parsed CREATE_CHILD_SA request 9 [ SA No KE TSi TSr ]

Jul  6 20:27:38 08[IKE] CHILD_SA IOS{12} established with SPIs
cac35673_i 086a1ade_o and TS 0.0.0.0/0 === 10.0.0.0/8

Jul  6 20:27:38 08[ENC] generating CREATE_CHILD_SA response 9 [ SA No
KE TSi TSr ]

Jul  6 20:27:38 08[NET] sending packet: from y.y.y.y[500] to
x.x.x.x.x[500] (272 bytes)

Jul  6 20:28:38 10[NET] received packet: from x.x.x.x.x[500] to
y.y.y.y[500] (256 bytes)

Jul  6 20:28:38 10[ENC] parsed CREATE_CHILD_SA request 10 [ SA No KE TSi TSr ]

Jul  6 20:28:38 10[IKE] CHILD_SA IOS{13} established with SPIs
ccc856f5_i 70094df2_o and TS 0.0.0.0/0 === 10.0.0.0/8

Jul  6 20:28:38 10[ENC] generating CREATE_CHILD_SA response 10 [ SA No
KE TSi TSr ]

Jul  6 20:28:38 10[NET] sending packet: from y.y.y.y[500] to
x.x.x.x.x[500] (272 bytes)


IOS debug log:

*Jul  6 11:56:04.061: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= x.x.x.x.x:500, remote= y.y.y.y:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-gcm  (Tunnel),

    lifedur= 86400s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Jul  6 11:56:04.061: IKEv2:Searching Policy with fvrf 0, local
address x.x.x.x.x

*Jul  6 11:56:04.061: IKEv2:Using the Default Policy for Proposal

*Jul  6 11:56:04.061: IKEv2:Found Policy 'default'

*Jul  6 11:56:04.061: IKEv2:(SESSION ID = 1,SA ID = 1):Check for IPSEC rekey

*Jul  6 11:56:04.061: IKEv2:(SESSION ID = 1,SA ID = 1):Set IPSEC DH group

*Jul  6 11:56:04.061: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for
PFS configuration

*Jul  6 11:56:04.061: IKEv2:(SESSION ID = 1,SA ID = 1):PFS configured,
DH group 19

*Jul  6 11:56:04.061: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 ->
Crypto Engine] Computing DH public key, DH Group 19

*Jul  6 11:56:04.062: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH
key Computation PASSED

*Jul  6 11:56:04.062: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued
for computation of DH key

*Jul  6 11:56:04.062: IKEv2:(SESSION ID = 1,SA ID = 1):Generating
CREATE_CHILD_SA exchange

*Jul  6 11:56:04.062: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal:
1, SPI size: 4 (IPSec negotiation),

Num. transforms: 3

   AES-GCM   DH_GROUP_256_ECP/Group 19   Don't use ESN

*Jul  6 11:56:04.062: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet
for encryption.

Payload contents:

 SA N KE TSi TSr

*Jul  6 11:56:04.062: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if
request will fit in peer window


*Jul  6 11:56:04.063: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet
[To y.y.y.y:500/From x.x.x.x.x:500/VRF i0:f0]

Initiator SPI : 35F67CE104837269 - Responder SPI : 9FA0E76515EFD5EE
Message id: 5

IKEv2 CREATE_CHILD_SA Exchange REQUEST

Payload contents:

 ENCR



Stongswan conf:

conn IOS
        type=tunnel
        keyexchange=ikev2
        auto=start
        ike=aes128gcm16
        esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
        left=%defaultroute
        leftid=a285l.domain.com
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=gw.cer
        right=%any
        rightsendcert=never
        rightid=IOS
        rightauth=eap-radius
        eap_identity=%identity
        rightsourceip=10.16.100.0/24
        rightsubnet=10.0.0.0/8
        ikelifetime=1440m
        lifetime=1440m
        keylife=60s
        rekeymargin=3m
        keyingtries=1
        rekey=no
        reauth=no


IOS config:

crypto ikev2 profile g3pf

 match identity remote fqdn a285l.domain.com

 identity local fqdn IOS

 authentication remote rsa-sig

 authentication local eap md5 username test password pass

 pki trustpoint pca

!

crypto ikev2 client flexvpn ff

  peer 1 xx.x.x.x

  peer reactivate

  client connect Tunnel0

crypto ipsec transform-set TSPFS esp-gcm

 mode tunnel

!

!

crypto ipsec profile g3ipf

 set transform-set TSPFS

 set ikev2-profile g3pf


interface Tunnel0

 ip address negotiated

 ip tcp adjust-mss 1200

 tunnel source Dialer1

 tunnel mode ipsec ipv4

 tunnel destination dynamic

 tunnel protection ipsec profile g3ipf

!



CSR#do sh cry ike se

 IPv4 Crypto IKEv2 Session


Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:39


Tunnel-id Local                 Remote                fvrf/ivrf
    Status

1         x.1.x.x4/500      y.y.y.y/500    none/none            READY

      Encr: AES-CBC, keysize: 128, PRF: MD5, Hash: MD596, DH Grp:5,
Auth sign: EAP, Auth verify: RSA

      Life/Active Time: 86400/2339 sec

Child sa: local selector  10.0.0.0/0 - 10.255.255.255/65535

          remote selector 0.0.0.0/0 - 255.255.255.255/65535

          ESP spi in/out: 0x3EC54188/0xC60050F4

Child sa: local selector  10.0.0.0/0 - 10.255.255.255/65535

          remote selector 0.0.0.0/0 - 255.255.255.255/65535

          ESP spi in/out: 0xFC4FB0E8/0xC931F3F8

Child sa: local selector  10.0.0.0/0 - 10.255.255.255/65535

          remote selector 0.0.0.0/0 - 255.255.255.255/65535

          ESP spi in/out: 0x92AEB325/0xCC4160B7

Child sa: local selector  10.0.0.0/0 - 10.255.255.255/65535

          remote selector 0.0.0.0/0 - 255.255.255.255/65535

          ESP spi in/out: 0x63C48FE4/0xCC8E3FA3



Bests,
-Igor

More information about the Users mailing list