[strongSwan] tunnel not negotiated after keylife expiration

Marco Berizzi pupilla at hotmail.com
Mon Sep 4 14:51:17 CEST 2017 

Hello everyone,

Last week I switched from the old openswan 2.4.15 to strongSwan 5.6.0,
running on Slackware Linux 64 bit with the latest vanilla 4.12.10 kernel.
My setup is very simple. Only IPsec/IKEv1 tunnel with PSK authentication.

/etc/strongswan.d/* is the default except for the following editing:
   
use_ipv6 = no
half_open_timeout = 90

Here is my ipsec.conf 

conn %default
        keyingtries=%forever
        keyexchange = ikev1

include /etc/ipsec.d/servizitalia.conf

conn servizitalia
        left=205.223.229.254
        right=156.54.166.66
        leftsubnet=10.28.130.32/27
        rightsubnet=192.168.42.0/24
        authby=secret
        auto=start
        esp=aes256-sha1
        compress=no
        leftid=205.223.229.254
        rightid=156.54.166.66
        keyingtries=%forever
        keylife=1h
        ikelifetime=8h
        ike=aes256-md5-modp1024


I'm now experimenting this behaviour on every tunnel configured on this
strongSwan server.
When I run 'ipsec start', strongSwan will start all the configured tunnels,
but after sometime (close to the keylife parameter) the CHILD_SA is deleted
and it is not negotiated anymore.

strongSwan ipsec start:
Sep  1 09:36:50 falcon charon: 12[IKE] initiating Main Mode IKE_SA servizitalia[14] to 156.54.166.66
Sep  1 09:36:50 falcon charon: 10[IKE] IKE_SA servizitalia[14] established between 205.223.229.254[205.223.229.254]...156.54.166.66[156.54.166.66]
Sep  1 09:36:50 falcon charon: 06[IKE] CHILD_SA servizitalia{14} established with SPIs with SPIs c1478566_i ca7492c1_o and TS 10.28.130.32/27 === 192.168.42.0/24

after about 30 minutes:
Sep  1 10:07:17 falcon charon: 06[NET] received packet: from 156.54.166.66[500] to 205.223.229.254[500] (76 bytes) 
Sep  1 10:07:17 falcon charon: 06[ENC] parsed INFORMATIONAL_V1 request 1251768816 [ HASH D ] 
Sep  1 10:07:17 falcon charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI ca7492c1 
Sep  1 10:07:17 falcon charon: 06[IKE] closing CHILD_SA servizitalia{14} with SPIs c1478566_i (0 bytes) ca7492c1_o (0 bytes) and TS 10.28.130.32/27 === 192.168.42.0/24 
Sep  1 10:07:17 falcon charon: 10[NET] received packet: from 156.54.166.66[500] to 205.223.229.254[500] (76 bytes) 
Sep  1 10:07:17 falcon charon: 10[ENC] parsed INFORMATIONAL_V1 request 3258301735 [ HASH D ] 
Sep  1 10:07:17 falcon charon: 10[IKE] received DELETE for IKE_SA servizitalia[14] 
Sep  1 10:07:17 falcon charon: 10[IKE] deleting IKE_SA servizitalia[14] between 205.223.229.254[205.223.229.254]...156.54.166.66[156.54.166.66] 

at this point, it is not possible anymore to reach the 192.168.42.0/24
network.

Is this the expected behavior?
For now, I have bypassed the problem changing the "auto=start" with
"auto=route" on every connection definition (but packets are lost
while the ipsec sa is negotiated).

Thanks in advance for any feedback

More information about the Users mailing list