[strongSwan] Connection dropped on rekeying

Gilles Printemps gprintemps at usa.net
Tue Apr 11 16:25:44 CEST 2017 

Hi,
With my current configuration I cannot keep a connection opened for a long time between my VPN and OSx 
Indeed, each time a “rekey job” is created, the connection to the VPN is dropped and I have to established it again manually.
Thanks for you help
BR

Log from syslog:
charon: 03[NET] sending packet: from 192.168.0.230[4500] to yy.yy.yy.yy[45075]
charon: 06[KNL] creating rekey job for CHILD_SA ESP/0xzzzzzzzz/yy.yy.yy.yy
charon: 08[IKE] queueing CHILD_REKEY task
charon: 08[IKE] activating new tasks
charon: 08[IKE]   activating CHILD_REKEY task
charon: 08[IKE] establishing CHILD_SA IPSec-IKEv2{1}
charon: 08[CFG] proposing traffic selectors for us:
charon: 08[CFG]  0.0.0.0/0
charon: 08[CFG] proposing traffic selectors for other:
charon: 08[CFG]  192.168.0.230/32
charon: 08[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
charon: 08[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
charon: 08[NET] sending packet: from 192.168.0.230[4500] to yy.yy.yy.yy[45075] (332 bytes)
charon: 03[NET] sending packet: from 192.168.0.230[4500] to yy.yy.yy.yy[45075]
charon: 02[NET] received packet: from yy.yy.yy.yy[45075] to 192.168.0.230[4500]
charon: 02[NET] waiting for data on sockets
charon: 15[NET] received packet: from yy.yy.yy.yy[45075] to 192.168.0.230[4500] (76 bytes)
charon: 15[ENC] parsed INFORMATIONAL request 2 [ D ]
charon: 15[IKE] received DELETE for IKE_SA IPSec-IKEv2[1]
charon: 15[IKE] deleting IKE_SA IPSec-IKEv2[1] between 192.168.0.230[hostname]…yy.yy.yy.yy[user at hostname]
charon: 15[IKE] IKE_SA IPSec-IKEv2[1] state change: ESTABLISHED => DELETING
charon: 15[IKE] IKE_SA deleted
charon: 15[ENC] generating INFORMATIONAL response 2 [ ]
charon: 15[NET] sending packet: from 192.168.0.230[4500] to yy.yy.yy.yy[45075] (76 bytes)
charon: 03[NET] sending packet: from 192.168.0.230[4500] to yy.yy.yy.yy[45075]
charon: 15[IKE] IKE_SA IPSec-IKEv2[1] state change: DELETING => DESTROYING
charon: 15[CFG] lease 192.168.0.230 by ‘user at host' went offline

/etc/ipsec.conf:
config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
    uniqueids = never

conn %default
    ### General
    lifetime=20m
    ikelifetime=60m
    keyexchange=ikev2

    ### Server
    left=%any
    leftsubnet=0.0.0.0/0
    leftid=<hostname
    leftcert=<filename>
    leftsendcert=always

    ### Peers
    right=%any
    rightdns=192.168.0.1
    rightsourceip=192.168.0.230-192.168.0.235


conn IPSec-IKEv2
    leftauth=pubkey
    rightauth=pubkey
    auto=add

More information about the Users mailing list