[strongSwan] IKEv2 connection fails to rekey phase2 tunnel

Tormod Macleod tormod.macleod at gmail.com
Wed Apr 6 18:23:33 CEST 2016 

Please ignore this. The client had configured PFS despite telling me they
had not.

Sorry for wasting your time

On 6 April 2016 at 14:37, Tormod Macleod <tormod.macleod at gmail.com> wrote:

> Hello,
>
> I've created a connection to with a client who is using a fortigate
> firewall. The connection comes up and is usable. However, when the phase
> two tunnel is due to rekey it fails as per the logs. The phase one tunnel
> remains in place and continues to function.
>
> Unfortunately I do not have the clients config. I have pasted the config
> from my side below along with the logs.
>
> Any help or advice would be much appreciated. I have  created several
> connections between strongswan and cisco devices in the past but never
> using fortigate. Not sure if there are any quirky things you have to do
> when doing so.
>
> conn %default
>         ikelifetime=1440m
>         margintime=3m
>         keyingtries=0
>         authby=secret
>         left=10.129.1.0/24
>         leftid=1.2.3.4
>         auto=start
>         reauth=no
>         rekey=no
>         dpdaction=hold
>         dpddelay=40
>         closeaction=hold
>
> conn Client1
>         keylife=60m
>         keyexchange=ikev2
>         ike=aes256-sha1-modp1024
>         esp=aes128-md5
>         leftsubnet=10.129.11.0/29
>         right=5.6.7.8
>         rightsubnet=10.90.1.0/24
>         rightid=10.0.3.239
>         dpdtimeout=60s
>         dpddelay=5s
>
> Apr  6 13:02:49 localhost charon: 05[KNL] creating rekey job for CHILD_SA
> ESP/0xc66a8fb2/10.129.1.131
> Apr  6 13:02:49 localhost charon: 05[IKE] establishing CHILD_SA Client1{1}
> Apr  6 13:02:49 localhost charon: 05[IKE] establishing CHILD_SA Client1{1}
> Apr  6 13:02:49 localhost charon: 05[ENC] generating CREATE_CHILD_SA
> request 200 [ N(REKEY_SA) SA No TSi TSr ]
> Apr  6 13:02:49 localhost charon: 05[NET] sending packet: from
> 10.129.1.131[4500] to 5.6.7.8[4500] (332 bytes)
> Apr  6 13:02:49 localhost charon: 07[NET] received packet: from
> 5.6.7.8[4500] to 10.129.1.131[4500] (76 bytes)
> Apr  6 13:02:49 localhost charon: 07[ENC] parsed CREATE_CHILD_SA response
> 200 [ N(INVAL_SYN) ]
> Apr  6 13:02:49 localhost charon: 07[IKE] received INVALID_SYNTAX notify
> error
> Apr  6 13:02:49 localhost charon: 07[IKE] CHILD_SA rekeying failed, trying
> again in 18 seconds
>
> Many thanks,
>
>
> Tormod
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160406/216fc4d6/attachment.html>

More information about the Users mailing list