[strongSwan] [strongswan-5.6.0] - Rekey issue
sriram.ec at gmail.com
Wed Apr 25 08:41:06 CEST 2018
We are using strongswan-5.6.1 on our device side and strongswan-5.6.0 on
our security gateway side.
Device works in IPv6 in IPv4 Tunnel mode with Virtual IP. Device ip
10.196.83.1 and SecGw ip is 10.222.222.199
We are testing Security gateway initiated IKE rekey, rekey interval is set
to 600s. So for every 5-6 mins, rekey happens.
During rekey CHILD_SA_REQ is sent from secgw and in response to that device
New IKE SPI’s are exchanged without tunnel bounce as reauth=no is present
in secgw’s ipsec.conf. Secgw deletes its OLD SPI and sends DELETE Payload
to device for deleting its SPI.
This happens successfully every 5-6 mins.
But sometimes we see strange behavior at the secgw side, where immediately
after rekey, I m seeing icmp port unreachable packet going out from secgw
When I see the corresponding log in SecGw, charon daemon has restarted. So
going ahead, SecGW doesn’t respond to DELETE payload sent from Device.
Device sends the same DELETE payload for about 10 times(as per the retry
logic), before deciding SecGW is down and bouncing the tunnel.
What is the reason for SecGw’s charon daemon restart ? It doesn’t happen
after every rekey, only sometimes it happens.
I have pasted the ipsec.conf’s in both SecGw and Device.
Ipsec.conf on device side
charondebug="ike 0, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl
1, dmn -1"
IPsec.conf on secgw side.
## ipsec.conf - strongSwan IPsec configuration file
## basic configuration
uniqueids = never
charondebug="ike 4, chd 1, cfg 4, net 1, enc 1, lib 1, mgr 4, knl
1, dmn 1"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users