[strongSwan] Strongswan 5.6.3 rekey every 30 seconds

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jul 24 12:02:13 CEST 2018


Hi,

You can use charon.delete_rekeyed = yes. But the better solution is to check the logs of the CISCO side to understand why it is doing that.

Kind regards

Noel

On 24.07.2018 05:29, Doug Tucker wrote:
>
> Have an issue I've never seen before.  Connecting to a remote Cisco router.  Have verified settings on the cisco, our rekey options look the same.  We get an established connection, then 30 seconds later a rekey happens and it installs under the new one.  This goes on forever.  Here are the logs  showing the original and 1 rekey.  If allowed to continue the number of SA increments as such:
>
>
> Connections:
>     sph-main:  x.x.x.x...x.x.x.x  IKEv1, dpddelay=15s
>     sph-main:   local:  [x.x.x.x] uses pre-shared key authentication
>     sph-main:   remote: [x.x.x.x] uses pre-shared key authentication
>     sph-main:   child:  x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
> Routed Connections:
>     sph-main{1}:  ROUTED, TUNNEL, reqid 1
>     sph-main{1}:   x.x.0.0/16 === x.x.x.x/28
> Security Associations (1 up, 0 connecting):
>     sph-main[1]: ESTABLISHED 3 minutes ago, x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
>     sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, pre-shared key reauthentication in 7 hours
>     sph-main[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>     sph-main{2}:  REKEYED, TUNNEL, reqid 1, expires in 7 hours
>     sph-main{2}:   x.x.0.0/16 === x.x.x.x/28
>     sph-main{3}:  REKEYED, TUNNEL, reqid 1, expires in 7 hours
>     sph-main{3}:   x.x.0.0/16 === x.x.x.x/28
>     sph-main{4}:  REKEYED, TUNNEL, reqid 1, expires in 7 hours
>     sph-main{4}:   x.x.0.0/16 === x.x.x.x/28
>     sph-main{5}:  REKEYED, TUNNEL, reqid 1, expires in 7 hours
>     sph-main{5}:   x.x.0.0/16 === x.x.x.x/28
>     sph-main{6}:  REKEYED, TUNNEL, reqid 1, expires in 7 hours
>     sph-main{6}:   x.x.0.0/16 === x.x.x.x/28
>     sph-main{7}:  REKEYED, TUNNEL, reqid 1, expires in 7 hours
>     sph-main{7}:   x.x.0.0/16 === x.x.x.x/28
>     sph-main{8}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i d0a8e566_o
>     sph-main{8}:  AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
>     sph-main{8}:   x.x.0.0/16 === x.x.x.x/28
>
> Here are my logs:
>
>
> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from /user.slice/user-x0.slice
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (34x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending keep alives
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (30x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (10x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer configs matching x.x.x.x...x.x.x.x[x.x.x.x]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main"
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in 2x02xs
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH SA No KE ID ID ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x000000 lifebytes, configured 0
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response 225x9x7323 [ HASH SA No KE ID ID ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (396 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (60 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x
>
>
> Jul 24 03:17:46 ip-x-x-x-x charon: 05[IKE] sending DPD request
> Jul 24 03:17:46 ip-x-x-x-x charon: 05[ENC] generating INFORMATIONAL_V1 request 43665939 [ HASH N(DPD) ]
> Jul 24 03:17:46 ip-x-x-x-x charon: 05[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:17:46 ip-x-x-x-x charon: 07[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:17:46 ip-x-x-x-x charon: 07[ENC] parsed INFORMATIONAL_V1 request 1316377373 [ HASH N(DPD_ACK) ]
> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[IKE] sending DPD request
> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[ENC] generating INFORMATIONAL_V1 request 2941x32606 [ HASH N(DPD) ]
> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[ENC] parsed INFORMATIONAL_V1 request 465745044 [ HASH N(DPD_ACK) ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes)
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] parsed QUICK_MODE request 1506132661 [ HASH SA No KE ID ID ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] received 460x000000 lifebytes, configured 0
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] detected rekeying of CHILD_SA sph-main{2}
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] generating QUICK_MODE response 1506132661 [ HASH SA No KE ID ID ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (396 bytes)
> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (60 bytes)
> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[ENC] parsed QUICK_MODE request 1506132661 [ HASH ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[IKE] CHILD_SA sph-main{3} established with SPIs c3cf290a_i 1cab665a_o and TS x.x.0.0/16 === x.x.x.x/2x
>
> Thank you in advance for any insight into resolving this.
>
>
> Sincerely,
>
>
> *Doug Tucker*
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180724/0476d814/attachment-0001.sig>


More information about the Users mailing list