[strongSwan] [strongswan-5.6.0] - Rekey issue

Sriram sriram.ec at gmail.com
Wed Apr 25 08:41:06 CEST 2018 

Hi,



We are using strongswan-5.6.1 on our device side and strongswan-5.6.0 on
our security gateway side.

Device works in IPv6 in IPv4 Tunnel mode with Virtual IP. Device ip
10.196.83.1 and SecGw ip is 10.222.222.199

We are testing Security gateway initiated IKE rekey, rekey interval is set
to 600s. So for every 5-6 mins, rekey happens.

During rekey CHILD_SA_REQ is sent from secgw and in response to that device
sends CHILD_SA_RESPONSE.

New IKE SPI’s are exchanged without tunnel bounce as reauth=no is present
in secgw’s ipsec.conf.  Secgw deletes its OLD SPI and sends DELETE Payload
to device for deleting its SPI.

This happens successfully every 5-6 mins.



But sometimes we see strange behavior at the secgw side, where immediately
after rekey, I m seeing icmp port  unreachable packet going out from secgw
towards device.

When I see the corresponding log in SecGw, charon daemon has restarted. So
going ahead, SecGW doesn’t respond to DELETE payload sent from Device.
Device sends the same DELETE payload for about 10 times(as per the retry
logic), before deciding SecGW is down and bouncing the tunnel.



What is the reason for SecGw’s charon daemon restart ? It doesn’t happen
after every rekey, only sometimes it happens.

I have pasted the ipsec.conf’s in both SecGw and Device.



Ipsec.conf on device side

======================

config setup

        charondebug="ike 0, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl
1, dmn -1"

        uniqueids=no

conn home

     left=10.196.83.1

     leftauth=pubkey

    leftid= serialnum.abc.com

    leftcert=/tmp/certSecure/certs/cert.pem

     authby=pubkey

     leftsourceip=%config6

     leftfirewall=yes

     ike=aes256-sha1-prfsha1-modp2048!

     esp=aes256-sha1!

     right=10.222.222.199 #1

     rightsubnet=::0/0

     rightid=%any

     auto=add

     dpddelay=20s

     dpdaction=clear

     ikelifetime=86400s

     lifetime=36000s

     reauth=no

     rekeymargin=3m

     keyingtries=1

     keyexchange=ikev2



IPsec.conf on secgw side.

=======================

## ipsec.conf - strongSwan IPsec configuration file

#

## basic configuration

#

config setup

        # strictcrlpolicy=yes

          uniqueids = never

        charondebug="ike 4, chd 1, cfg 4, net 1, enc 1, lib 1, mgr 4, knl
1, dmn 1"



conn home

        left=10.222.222.199

        leftid=cert.secgw.com

        leftcert=/etc/data/secgw_cert.pem

        right=%any

        rightid=%any

        ike=aes256-sha1-prfsha1-modp2048

        esp=aes256-sha1!

        mobike=no

*        ikelifetime=600s*

        lifetime=6000s

        auto=add

*        reauth=no*

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev2

        authby=pubkey

        dpdaction=clear

        leftsubnet=::0/0

        rightdns=2001:0:0:1::202

*        rightsourceip=2001:0:0:15::/64*





*Regards,*

*Sriram*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180425/141b3934/attachment.html>

More information about the Users mailing list