[strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration

Giuseppe De Marco giuseppe.demarco at unical.it
Mon Jan 8 19:06:00 CET 2018 

Ciao Marco,

Probably I'm wrong but I think that the Dead Peer Detection feature could
be helpfull for you

  # dead-peer detection to clear any "dangling" connections in case
the client unexpectedly disconnects  dpdaction=clear  # If the tunnel
has no traffic for this long (default 30 secs), Charon will send a
dead peer detection packet. The value 0 means to not send such
packets, relying on ordinary traffic, which will occur at least once
an hour, which is the default rekeying lifetime.  dpddelay=33s  #  DPD
Retries : 3  dpdtimeout=300s


2018-01-08 17:12 GMT+01:00 Marco Berizzi <pupilla at hotmail.com>:

> Hello everyone,
>
> I'm running strongswan 5.6.1 on slackware linux 64 bit
> I have found a little problem with my setup. Sometimes
> mobile users main mode and quick mode are not dropped
> after ike/esp lifetime. Here is my config setup:
>
> conn rw-mobile
>         right=%any
>         compress=yes
>         leftcert=osw-cert.pem
>         leftupdown=/etc/ipsec.d/updown/_updown.strongswan.X11
>         keylife=80m
>         ikelifetime=8h
>         rekey=no
>         keyingtries=1
>         leftid=fsw-ve at aive.it
>         ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha384-ecp384
>         esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha256-ecp384
>
> conn mobile
>         also=rw-mobile
>         auto=add
>         leftsubnet=10.180.0.0/16
>         rightsubnet=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10
>         left=82.184.99.254
>
> And here is an example of ipsec statusall output:
>
> mobile[393]: ESTABLISHED 3 days ago, 82.184.99.254[CN=Gateway]...
> 195.46.216.198[CN=Jessica]
> mobile[393]: IKEv1 SPIs: 15ae977b997e4475_i 3e72597006e642fe_r*, rekeying
> disabled
> mobile[393]: IKE proposal: AES_CBC_256/HMAC_SHA2_384_192/
> PRF_HMAC_SHA2_384/ECP_384
> mobile{298}:  INSTALLED, TUNNEL, reqid 260, ESP in UDP SPIs: c5a4f249_i
> a21eed36_o
> mobile{298}:  AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 20978 bytes_i (365
> pkts, 268111s ago), 417068 bytes_o (373 pkts, 268111s ago), rekeying
> disabled
> mobile{298}:   10.180.0.0/16 === 10.247.200.180/32
>
> As you can see this IKE/ESP SA is not dropped after more
> than 74 hours.
> The mobile user is defunct but strongswan will not remove
> that IKE/ESP SA till when the user will reconnect.
>
> Is this the expected behaviour?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180108/ef753447/attachment.html>

More information about the Users mailing list