[strongSwan] Azure child rekeying loop

Noel Kuntze noel at familie-kuntze.de
Mon Feb 20 08:01:10 CET 2017

The remote side probably uses PFS.
Either set the correct DH group that corresponds to the configuration of the remote side or disable PFS there.

aes256-sha1 != aes256-sha1-modp2048

Am 19. Februar 2017 16:31:08 MEZ schrieb Andrei-Florian Staicu <andrei.staicu at gmail.com>:
>I have a site-to-site tunnel to a private classic Azure.
>It starts and works perfectly but, after after approx 43 minutes (i
>it's the child rekeying interval), it starts looping like this:
>08[KNL] creating rekey job for CHILD_SA ESP/0x066cf00c/<remote>
>06[IKE] establishing CHILD_SA CONNECTION{1}
>06[IKE] establishing CHILD_SA CONNECTION{1}
>06[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi
>TSr ]
>06[NET] sending packet: from <local>[4500] to <remote>[4500] (220
>14[NET] received packet: from <remote>[4500] to <local>[4500] (76
>14[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
>14[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
>14[IKE] failed to establish CHILD_SA, keeping IKE_SA
>14[IKE] CHILD_SA rekeying failed, trying again in 30 seconds
>strongswan statusall:
>Status of IKE charon daemon (strongSwan 5.4.0, Linux
>3.10.0-514.2.2.el7.x86_64, x86_64):
>  uptime: 57 minutes, since Feb 19 16:17:21 2017
>  malloc: sbrk 2703360, mmap 0, used 522128, free 2181232
>  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>scheduled: 5
> loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509
>revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey
>pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr
>kernel-netlink resolve socket-default farp stroke vici updown
>eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic
>xauth-eap xauth-pam xauth-noauth dhcp
>Listening IP addresses:
>  <local>
>CONNECTION:  <local>...<remote>  IKEv2, dpddelay=30s
>CONNECTION:   local:  [<local>] uses pre-shared key authentication
>CONNECTION:   remote: [<remote>] uses pre-shared key authentication
>CONNECTION:   child: ===
>Security Associations (1 up, 0 connecting):
>CONNECTION[2]: ESTABLISHED 57 minutes ago,
>CONNECTION[2]: IKEv2 SPIs: 01e5013ada90fe24_i 0fa0482414130fad_r*,
>in 6 hours
>CONNECTION[2]: IKE proposal:
>CONNECTION{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c62f2d74_i
>CONNECTION{2}:  AES_CBC_256/HMAC_SHA1_96, 37046 bytes_i (739 pkts, 2s
>36233 bytes_o (741 pkts, 420s ago), rekeying active
>Any idea why it would be doing that, even though the initial connection
>config setup
>  closeaction=restart
>  dpdaction=restart
>  ike=aes256-sha1-modp1024!
>  esp=aes256-sha1!
>  reauth=no
>  keyexchange=ikev2
>  ikelifetime=28800s
>  keylife=3600s
>  keyingtries=%forever
>  authby=secret
>  type=tunnel
>  forceencaps=yes
>  left=<local>
>  leftid=<local>
>  leftsubnet=
>  right=<remote>
>  rightid=<remote>
>  rightsubnet=,
>  auto=start
>Beware of programmers who carry screwdrivers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170220/4691f3bb/attachment.html>

More information about the Users mailing list