[strongSwan] StrongSWAN and Cisco ASA: continuously recreating AS's after first rekey
Willem Roos
wroos at shoprite.co.za
Mon Sep 7 09:20:33 CEST 2015
Hi List,
I've searched the archives and haven't so far come across a similar case to mine afaics.
I have StrongSWAN in AWS (Linux strongSwan U5.1.2/K3.13.0-48-generic) and a Cisco ASA on premise (I'll get the config and exact ASA spec soon but it's running upwards of v9). Everything is fine until the first rekey time (1h in my case), then it will recreate the AS'es every ~ 3 minutes with:
---- 8< ----
Sep 3 09:05:13 strongswan-prod charon: 06[IKE] giving up after 5 retransmits
Sep 3 09:05:13 strongswan-prod charon: 06[IKE] restarting CHILD_SA aws-2-onprem
---- 8< ----
The tunnels re-establish immediately with no issues, the problem is just it keeps doing it every 3 minutes which causes havoc for ssh connections (the Windows guys just moan a bit :-).
My workaround for now will be to set the lifetime to 24h and do "ipsec restart" from cron once a day but it's not very elegant. Has anyone seen anything like this with Cisco ASA?
ipsec.conf:
---- 8< ----
conn aws-2-onprem
keyexchange=ikev2
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024 <-- pfs is off ASA side
left=%defaultroute
leftid=<left ip>
leftsubnet=<local subnets>
right=<right ip>
rightsubnet=<remote subnets>
dpdaction=restart <-- initially thought DPD might be a problem with ASA
# dpdaction=none <-- tried this, bad idea in my case: no tunnels after rekey
dpddelay=0 <-- and tried this
auto=start
reauth=no <-- and tried this in the hope it wouldn't delete the SA's, no luck
keylife=1d <-- last thing is to make rekey time a whole day and ipsec restart once a day
---- 8< ----
Any ideas?
Many thanks!
--
Willem Roos
wroos at shoprite.co.za<mailto:wroos at shoprite.co.za> (+27 21 980 4941, +27 83 703 9310)
Disclaimer:
http://www.shopriteholdings.co.za/Pages/ShopriteE-mailDisclaimer.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150907/21067aec/attachment-0001.html>
More information about the Users
mailing list