[strongSwan] roadwarrior IKEv2 PSK reauthentication issue

[Lars Alex Pedersen]

I got about 100 RW clients that are connecting to a pfsense 2.2.6 and are
seeing something odd when the clients are reauthenticating IKE_SA. Can
anybody tell why two different virtual IP's are received within 1 second? On
the pfsense side I see that the same two roadwarriors are "fighting" between
the two virtuel ip's, so if one gets 10.75.4.75 the other will get
10.75.4.54.

pfSense WAN IP: 200.100.10.1
rwclient IP: 192.168.248.17

daemon.info charon: 10[IKE] sending keep alive to 200.100.10.1[4500]
daemon.info charon: 11[IKE] reauthenticating IKE_SA roadwarrior[1]
authpriv.info charon: 11[IKE] reauthenticating IKE_SA roadwarrior[1]
daemon.info charon: 11[IKE] installing new virtual IP 10.75.4.75 
daemon.info charon: 11[IKE] initiating IKE_SA roadwarrior[2] to 200.100.10.1
authpriv.info charon: 11[IKE] initiating IKE_SA roadwarrior[2] to
200.100.10.1
daemon.info charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) V ]
daemon.info charon: 11[NET] sending packet: from 192.168.248.17[4500] to
200.100.10.1[4500] (384 bytes)
daemon.info charon: 16[NET] received packet: from 200.100.10.1[4500] to
192.168.248.17[4500] (320 bytes)
daemon.info charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
daemon.info charon: 16[IKE] local host is behind NAT, sending keep alives
daemon.info charon: 16[IKE] authentication of 'rwclient' (myself) with
pre-shared key
daemon.info charon: 16[IKE] establishing CHILD_SA roadwarrior
authpriv.info charon: 16[IKE] establishing CHILD_SA roadwarrior
daemon.info charon: 16[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH
CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY)
]
daemon.info charon: 16[NET] sending packet: from 192.168.248.17[4500] to
200.100.10.1[4500] (330 bytes)
daemon.info charon: 13[NET] received packet: from 200.100.10.1[4500] to
192.168.248.17[4500] (267 bytes)
daemon.info charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR)
N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
daemon.info charon: 13[IKE] authentication of 'roadwarriorvpn-1' with
pre-shared key successful
daemon.info charon: 13[IKE] IKE_SA roadwarrior[2] established between
192.168.248.17[rwclient]...200.100.10.1[roadwarriorvpn-1]
authpriv.info charon: 13[IKE] IKE_SA roadwarrior[2] established between
192.168.248.17[rwclient]...200.100.10.1[roadwarriorvpn-1]
daemon.info charon: 13[IKE] scheduling reauthentication in 27604s
daemon.info charon: 13[IKE] maximum IKE_SA lifetime 28204s
daemon.info charon: 13[IKE] installing new virtual IP 10.75.4.54
daemon.info charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not
using ESPv3 TFC padding
daemon.info charon: 13[IKE] CHILD_SA roadwarrior{4} established with SPIs
ca8a86af_i ce37776b_o and TS 10.75.4.54/32 === 10.75.0.0/16
authpriv.info charon: 13[IKE] CHILD_SA roadwarrior{4} established with SPIs
ca8a86af_i ce37776b_o and TS 10.75.4.54/32 === 10.75.0.0/16
daemon.info charon: 13[IKE] received AUTH_LIFETIME of 28167s, scheduling
reauthentication in 27567s
daemon.info charon: 09[IKE] deleting IKE_SA roadwarrior[1] between
192.168.248.17[rwclient]...200.100.10.1[roadwarriorvpn-1]
authpriv.info charon: 09[IKE] deleting IKE_SA roadwarrior[1] between
192.168.248.17[rwclient]...200.100.10.1[roadwarriorvpn-1]
daemon.info charon: 09[IKE] sending DELETE for IKE_SA roadwarrior[1]
daemon.info charon: 09[ENC] generating INFORMATIONAL request 4 [ D ]
daemon.info charon: 09[NET] sending packet: from 192.168.248.17[4500] to
200.100.10.1[4500] (65 bytes)
daemon.info charon: 05[NET] received packet: from 200.100.10.1[4500] to
192.168.248.17[4500] (57 bytes)
daemon.info charon: 05[ENC] parsed INFORMATIONAL response 4 [ ]
daemon.info charon: 05[IKE] IKE_SA deleted
authpriv.info charon: 05[IKE] IKE_SA deleted


Best regards
Lars Alex Pedersen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3545 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170607/ad9ca598/attachment.bin>