[strongSwan] IKEv2 connection fails to rekey phase2 tunnel

Tormod Macleod tormod.macleod at gmail.com
Wed Apr 6 15:37:35 CEST 2016 

Hello,

I've created a connection to with a client who is using a fortigate
firewall. The connection comes up and is usable. However, when the phase
two tunnel is due to rekey it fails as per the logs. The phase one tunnel
remains in place and continues to function.

Unfortunately I do not have the clients config. I have pasted the config
from my side below along with the logs.

Any help or advice would be much appreciated. I have  created several
connections between strongswan and cisco devices in the past but never
using fortigate. Not sure if there are any quirky things you have to do
when doing so.

conn %default
        ikelifetime=1440m
        margintime=3m
        keyingtries=0
        authby=secret
        left=10.129.1.0/24
        leftid=1.2.3.4
        auto=start
        reauth=no
        rekey=no
        dpdaction=hold
        dpddelay=40
        closeaction=hold

conn Client1
        keylife=60m
        keyexchange=ikev2
        ike=aes256-sha1-modp1024
        esp=aes128-md5
        leftsubnet=10.129.11.0/29
        right=5.6.7.8
        rightsubnet=10.90.1.0/24
        rightid=10.0.3.239
        dpdtimeout=60s
        dpddelay=5s

Apr  6 13:02:49 localhost charon: 05[KNL] creating rekey job for CHILD_SA
ESP/0xc66a8fb2/10.129.1.131
Apr  6 13:02:49 localhost charon: 05[IKE] establishing CHILD_SA Client1{1}
Apr  6 13:02:49 localhost charon: 05[IKE] establishing CHILD_SA Client1{1}
Apr  6 13:02:49 localhost charon: 05[ENC] generating CREATE_CHILD_SA
request 200 [ N(REKEY_SA) SA No TSi TSr ]
Apr  6 13:02:49 localhost charon: 05[NET] sending packet: from
10.129.1.131[4500] to 5.6.7.8[4500] (332 bytes)
Apr  6 13:02:49 localhost charon: 07[NET] received packet: from
5.6.7.8[4500] to 10.129.1.131[4500] (76 bytes)
Apr  6 13:02:49 localhost charon: 07[ENC] parsed CREATE_CHILD_SA response
200 [ N(INVAL_SYN) ]
Apr  6 13:02:49 localhost charon: 07[IKE] received INVALID_SYNTAX notify
error
Apr  6 13:02:49 localhost charon: 07[IKE] CHILD_SA rekeying failed, trying
again in 18 seconds

Many thanks,


Tormod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160406/4e7d22ab/attachment.html>

More information about the Users mailing list