[strongSwan] Connection gets lost

Rolf Schöpfer rolf at samplezone.ch
Wed Mar 18 18:39:33 CET 2015


Hi

Ipsec connectivity between monowall (racoon) and strongswan gets lost several times a day. I have no idea what goes wrong. To fix it I need to restart ipsec on monowall. Below you see some details 
from monowall log and server log. How can I solve this problem?


Monowall
===============================
Mar 18 17:51:19     racoon: INFO: KA remove: 10.10.10.1[4500]->85.xx.xx.xx[4500]
Mar 18 17:51:19     racoon: INFO: ISAKMP-SA deleted 10.10.10.1[4500]-85.xx.xx.xx[4500] spi:5b428de34f5025e9:19b8dfd8dfd65c2f
Mar 18 17:51:19     racoon: INFO: ISAKMP-SA expired 10.10.10.1[4500]-85.xx.xx.xx[4500] spi:5b428de34f5025e9:19b8dfd8dfd65c2f
Mar 18 17:41:21     racoon: ERROR: pfkey DELETE received: ESP 10.10.10.1[500]->85.xx.xx.xx[500] spi=72534407(0x452c987)
Mar 18 17:36:23     racoon: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.1[500]->85.xx.xx.xx[500] spi=3173324669(0xbd25177d)
Mar 18 17:36:23     racoon: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.1[500]->85.xx.xx.xx[500] spi=517191(0x7e447)
Mar 18 17:36:23     racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Mar 18 17:36:23     racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Mar 18 17:36:23     racoon: INFO: respond new phase 2 negotiation: 10.10.10.1[4500]<=>85.xx.xx.xx[4500]
Mar 18 16:51:19     racoon: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.1[500]->85.xx.xx.xx[500] spi=72534407(0x452c987)
Mar 18 16:51:19     racoon: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.1[500]->85.xx.xx.xx[500] spi=197496901(0xbc59045)
Mar 18 16:51:19     racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Mar 18 16:51:19     racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Mar 18 16:51:19     racoon: WARNING: attribute has been modified.
Mar 18 16:51:19     racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Mar 18 16:51:19     racoon: INFO: initiate new phase 2 negotiation: 10.10.10.1[4500]<=>85.xx.xx.xx[4500]
Mar 18 16:51:19     racoon: INFO: ISAKMP-SA established 10.10.10.1[4500]-85.xx.xx.xx[4500] spi:5b428de34f5025e9:19b8dfd8dfd65c2f
Mar 18 16:51:19     racoon: INFO: KA list add: 10.10.10.1[4500]->85.xx.xx.xx[4500]
Mar 18 16:51:19     racoon: INFO: NAT detected: ME PEER
Mar 18 16:51:19     racoon: INFO: NAT-D payload #1 doesn't match
Mar 18 16:51:19     racoon: [85.xx.xx.xx] INFO: Hashing 85.xx.xx.xx[500] with algo #1
Mar 18 16:51:19     racoon: INFO: NAT-D payload #0 doesn't match
Mar 18 16:51:19     racoon: [10.10.10.1] INFO: Hashing 10.10.10.1[500] with algo #1
Mar 18 16:51:19     racoon: INFO: Adding remote and local NAT-D payloads.
Mar 18 16:51:19     racoon: [10.10.10.1] INFO: Hashing 10.10.10.1[500] with algo #1
Mar 18 16:51:19     racoon: [85.xx.xx.xx] INFO: Hashing 85.xx.xx.xx[500] with algo #1
Mar 18 16:51:18     racoon: [85.xx.xx.xx] INFO: Selected NAT-T version: RFC 3947
Mar 18 16:51:18     racoon: INFO: received Vendor ID: RFC 3947
Mar 18 16:51:18     racoon: INFO: received Vendor ID: DPD
Mar 18 16:51:18     racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 18 16:51:18     racoon: INFO: begin Identity Protection mode.
Mar 18 16:51:18     racoon: INFO: initiate new phase 1 negotiation: 10.10.10.1[500]<=>85.xx.xx.xx[500]
Mar 18 16:51:18     racoon: INFO: IPsec-SA request for 85.xx.xx.xx queued due to no phase1 found


ipsec status
========================
# ipsec status
Security Associations (1 up, 0 connecting):
   host-szlan[17]: ESTABLISHED 90 minutes ago, 85.xx.xx.xx[85.xx.xx.xx]...109.xx.xx.xx[109.xx.xx.xx]
   host-szlan{9}:  REKEYING, TUNNEL, expires in 14 minutes
   host-szlan{9}:   10.10.200.182/32 === 10.10.10.0/24


ipsec statusall
=========================
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-26-pve, i686):
   uptime: 5 days, since Mar 13 09:36:51 2015
   malloc: sbrk 249856, mmap 0, used 108520, free 141336
   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5
   loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-libipsec kernel-netlink socket-default updown
Listening IP addresses:
   85.xx.xx.xx
   10.10.200.182
Connections:
   host-szlan:  85.xx.xx.xx...109.xx.xx.xx  IKEv1
   host-szlan:   local:  [85.xx.xx.xx] uses pre-shared key authentication
   host-szlan:   remote: [109.xx.xx.xx] uses pre-shared key authentication
   host-szlan:   child:  10.10.200.182/32 === 10.10.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
   host-szlan[17]: ESTABLISHED 91 minutes ago, 85.xx.xx.xx[85.xx.xx.xx]...109.xx.xx.xx[109.xx.xx.xx]
   host-szlan[17]: IKEv1 SPIs: e925504fe38d425b_i 2f5cd6dfd8dfb819_r*, pre-shared key reauthentication in 71 minutes
   host-szlan[17]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
   host-szlan[17]: Tasks active: QUICK_MODE
   host-szlan{9}:  REKEYING, TUNNEL, expires in 13 minutes
   host-szlan{9}:   10.10.200.182/32 === 10.10.10.0/24


/var/log/syslog
======================
Mar 18 17:40:03 development charon: 08[KNL] creating rekey job for ESP CHILD_SA with SPI 0452c987 and reqid {9}
Mar 18 17:41:21 development charon: 13[NET] received packet: from 109.xx.xx.xx[20475] to 85.xx.xx.xx[4500] (76 bytes)
Mar 18 17:41:21 development charon: 13[ENC] parsed INFORMATIONAL_V1 request 2479983621 [ HASH D ]
Mar 18 17:41:21 development charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI 0bc59045
Mar 18 17:41:21 development charon: 13[IKE] closing CHILD_SA host-szlan{9} with SPIs 0452c987_i (143017 bytes) 0bc59045_o (39303 bytes) and TS 10.10.200.182/32 === 10.10.10.0/24
Mar 18 18:21:23 development charon: 08[KNL] creating rekey job for ESP CHILD_SA with SPI bd25177d and reqid {9}
Mar 18 18:21:23 development charon: 16[ENC] generating QUICK_MODE request 223521050 [ HASH SA No ID ID ]
Mar 18 18:21:23 development charon: 16[NET] sending packet: from 85.xx.xx.xx[4500] to 109.xx.xx.xx[20475] (204 bytes)
Mar 18 18:21:27 development charon: 03[IKE] sending retransmit 1 of request message ID 223521050, seq 3
Mar 18 18:21:27 development charon: 03[NET] sending packet: from 85.xx.xx.xx[4500] to 109.xx.xx.xx[20475] (204 bytes)
Mar 18 18:21:35 development charon: 02[IKE] sending retransmit 2 of request message ID 223521050, seq 3
Mar 18 18:21:35 development charon: 02[NET] sending packet: from 85.xx.xx.xx[4500] to 109.xx.xx.xx[20475] (204 bytes)
Mar 18 18:21:48 development charon: 01[IKE] sending retransmit 3 of request message ID 223521050, seq 3
Mar 18 18:21:48 development charon: 01[NET] sending packet: from 85.xx.xx.xx[4500] to 109.xx.xx.xx[20475] (204 bytes)
Mar 18 18:22:11 development charon: 13[IKE] sending retransmit 4 of request message ID 223521050, seq 3
Mar 18 18:22:11 development charon: 13[NET] sending packet: from 85.xx.xx.xx[4500] to 109.xx.xx.xx[20475] (204 bytes)
Mar 18 18:22:48 development charon: 08[KNL] creating rekey job for ESP CHILD_SA with SPI 0007e447 and reqid {9}
Mar 18 18:22:53 development charon: 01[IKE] sending retransmit 5 of request message ID 223521050, seq 3
Mar 18 18:22:53 development charon: 01[NET] sending packet: from 85.xx.xx.xx[4500] to 109.xx.xx.xx[20475] (204 bytes)
Mar 18 18:24:08 development charon: 13[IKE] giving up after 5 retransmits
Mar 18 18:24:08 development charon: 13[IKE] initiating Main Mode IKE_SA host-szlan[18] to 109.xx.xx.xx
Mar 18 18:24:08 development charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V ]
Mar 18 18:24:08 development charon: 13[NET] sending packet: from 85.xx.xx.xx[500] to 109.xx.xx.xx[500] (156 bytes)
Mar 18 18:24:12 development charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
Mar 18 18:24:12 development charon: 14[NET] sending packet: from 85.xx.xx.xx[500] to 109.xx.xx.xx[500] (156 bytes)


Any help is appreciated, thanks.



More information about the Users mailing list