[strongSwan] MacOS setting up new IKE_SA instead of using the old (IKEv2)
Harald Dunkel
harald.dunkel at aixigo.de
Wed Dec 14 13:08:06 CET 2016
Hi folks,
I have quite a number of MacOS 10.11 and 10.12 road warriors.
The common IPsec gateway is a Linux PC with strongswan 5.5.1.
IKEv2.
The problem is that some Macs loose the IPsec connection while
it is in use. The road warrior is working in an ssh session over
IPsec to another system in our left subnet, for example. He
has to stop typing and to manually click on [connect] in his
network GUI to make it work again. Sometimes the IPsec
connection is lost just a few minutes after creating it.
Looking at the gateway's logfile I see that the Mac creates a
new IKE_SA instead of using the old one. There is no DELETE
message or expired SA or anything.
Logfile is attached, but here is a grep to show what I mean:
% cat /var/log/daemon.log | grep charon | egrep IKE_SA\|CHILD_SA | grep ppcm009
Dec 13 15:28:13 srvl047 charon: 17[IKE] IKE_SA IPSec-IKEv2[7503] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 15:29:57 srvl047 charon: 13[IKE] deleting IKE_SA IPSec-IKEv2[7503] between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 15:30:24 srvl047 charon: 27[IKE] IKE_SA IPSec-IKEv2[7508] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:02:18 srvl047 charon: 18[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:02:18 srvl047 charon: 18[IKE] IKE_SA IPSec-IKEv2[7518] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:07:10 srvl047 charon: 16[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:07:10 srvl047 charon: 16[IKE] IKE_SA IPSec-IKEv2[7521] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:13:54 srvl047 charon: 18[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:13:54 srvl047 charon: 18[IKE] IKE_SA IPSec-IKEv2[7524] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:16:28 srvl047 charon: 09[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:16:28 srvl047 charon: 09[IKE] IKE_SA IPSec-IKEv2[7527] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:30:20 srvl047 charon: 25[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:30:20 srvl047 charon: 25[IKE] IKE_SA IPSec-IKEv2[7532] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:37:37 srvl047 charon: 19[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:37:37 srvl047 charon: 19[IKE] IKE_SA IPSec-IKEv2[7533] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:38:23 srvl047 charon: 05[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:38:23 srvl047 charon: 05[IKE] IKE_SA IPSec-IKEv2[7535] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Dec 13 16:53:59 srvl047 charon: 08[IKE] destroying duplicate IKE_SA for peer 'ppcm009.ws.example.de', received INITIAL_CONTACT
Dec 13 16:53:59 srvl047 charon: 08[IKE] IKE_SA IPSec-IKEv2[7545] established between 2001:db8:13b0:ffff::63[gate1.example.com]...2001:db8:30:fff0:ae87:a3ff:fe30:d869[ppcm009.ws.example.de]
Has anybody seen something similar? Every helpful comment
is highly appreciated.
Harri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: daemon.log
Type: text/x-log
Size: 30414 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161214/8d8b8e10/attachment-0001.bin>
More information about the Users
mailing list