[strongSwan] IKE_REAUTH

abi at abinet.ru abi at abinet.ru
Wed Jun 10 10:45:05 CEST 2015 

Hey, community.

I found that on IKE_REAUTH tunnel is going down with TCP/IP teardown. I 
enabled the logs and found that "initiator did not reauthenticate as 
requested".
Here is full log of reauth sequence

Jun 10 07:20:00 abinet charon: 05[IKE] initiator did not reauthenticate 
as requested
Jun 10 07:20:00 abinet charon: 05[IKE] reauthenticating IKE_SA gate[1] 
actively
Jun 10 07:20:00 abinet charon: 05[IKE] queueing IKE_REAUTH task
Jun 10 07:20:00 abinet charon: 05[IKE] activating new tasks
Jun 10 07:20:00 abinet charon: 05[IKE]   activating IKE_REAUTH task
Jun 10 07:20:00 abinet charon: 05[IKE] deleting IKE_SA gate[1] between 
95.211.88.160[C=RU, O=abinet, CN=abinet.ru]...5.18.175.216[C=RU, 
O=abinet, CN=gate.abi
net.ru]
Jun 10 07:20:00 abinet charon: 05[IKE] IKE_SA gate[1] state change: 
ESTABLISHED => DELETING
Jun 10 07:20:00 abinet charon: 05[IKE] sending DELETE for IKE_SA gate[1]
Jun 10 07:20:00 abinet charon: 05[ENC] generating INFORMATIONAL request 
62 [ D ]
Jun 10 07:20:00 abinet charon: 05[NET] sending packet: from 
95.211.88.160[4500] to 5.18.175.216[4500] (76 bytes)
Jun 10 07:20:00 abinet charon: 05[NET] received packet: from 
5.18.175.216[4500] to 95.211.88.160[4500] (76 bytes)
Jun 10 07:20:00 abinet charon: 05[ENC] parsed INFORMATIONAL response 62 
[ D ]
Jun 10 07:20:00 abinet charon: 05[IKE] IKE_SA deleted
Jun 10 07:20:00 abinet charon: 05[IKE] restarting CHILD_SA gate
Jun 10 07:20:00 abinet charon: 05[IKE] unable to resolve %any, initiate 
aborted
Jun 10 07:20:00 abinet charon: 05[MGR] tried to check-in and delete 
nonexisting IKE_SA
Jun 10 07:20:00 abinet charon: 05[IKE] IKE_SA gate[2] state change: 
CREATED => DESTROYING
Jun 10 07:20:00 abinet charon: 05[IKE] reauthenticating IKE_SA failed
Jun 10 07:20:00 abinet charon: 05[IKE] IKE_SA gate[1] state change: 
DELETING => DESTROYING

I don't have logs from the remote client, but it's Cisco ASA 5505, so, 
maybe it is well known behavior.  I read the wiki and here is my 
interpretation (can be wrong):

1. Both, client and server was set to 1 day rekey for phase1, but as 
StrongSwan substracts random modifier, Server < Client
2. StrongSwan asked Cisco to initiate REAUTH sequence
3. Cisco ignored the request (maybe it ignore all such requests or it 
saw the key is not yet expired)
4. As Cisco behind the nat and has a dynamic address, right=%any is used 
and StrongSwan can't interact with it without working SA. (Can't it use 
existing one for that?)

So, my questions are
1. If client refuses to initiate REAUTH procedure is tunnel inevitably 
fails or StrongSwan did something wrong/misconfigured?
2. The solution can be to set Cisco expire key in 23 hour to ensure it 
starts REAUTH first?

or, on IKE_REAUTH established TCP/IP connections will be dropped in any 
case? (At least, they survive on SA rekey).

Thank you.

More information about the Users mailing list