[strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jul 24 12:02:13 CEST 2018
Hi,
You can use charon.delete_rekeyed = yes. But the better solution is to check the logs of the CISCO side to understand why it is doing that.
Kind regards
Noel
On 24.07.2018 05:29, Doug Tucker wrote:
>
> Have an issue I've never seen before. Connecting to a remote Cisco router. Have verified settings on the cisco, our rekey options look the same. We get an established connection, then 30 seconds later a rekey happens and it installs under the new one. This goes on forever. Here are the logs showing the original and 1 rekey. If allowed to continue the number of SA increments as such:
>
>
> Connections:
> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
> sph-main: local: [x.x.x.x] uses pre-shared key authentication
> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
> Routed Connections:
> sph-main{1}: ROUTED, TUNNEL, reqid 1
> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
> Security Associations (1 up, 0 connecting):
> sph-main[1]: ESTABLISHED 3 minutes ago, x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, pre-shared key reauthentication in 7 hours
> sph-main[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{2}: x.x.0.0/16 === x.x.x.x/28
> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{3}: x.x.0.0/16 === x.x.x.x/28
> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{4}: x.x.0.0/16 === x.x.x.x/28
> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{5}: x.x.0.0/16 === x.x.x.x/28
> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{6}: x.x.0.0/16 === x.x.x.x/28
> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{7}: x.x.0.0/16 === x.x.x.x/28
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i d0a8e566_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
> sph-main{8}: x.x.0.0/16 === x.x.x.x/28
>
> Here are my logs:
>
>
> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from /user.slice/user-x0.slice
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (34x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending keep alives
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (30x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (10x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer configs matching x.x.x.x...x.x.x.x[x.x.x.x]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main"
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in 2x02xs
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH SA No KE ID ID ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x000000 lifebytes, configured 0
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response 225x9x7323 [ HASH SA No KE ID ID ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (396 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (60 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x
>
>
> Jul 24 03:17:46 ip-x-x-x-x charon: 05[IKE] sending DPD request
> Jul 24 03:17:46 ip-x-x-x-x charon: 05[ENC] generating INFORMATIONAL_V1 request 43665939 [ HASH N(DPD) ]
> Jul 24 03:17:46 ip-x-x-x-x charon: 05[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:17:46 ip-x-x-x-x charon: 07[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:17:46 ip-x-x-x-x charon: 07[ENC] parsed INFORMATIONAL_V1 request 1316377373 [ HASH N(DPD_ACK) ]
> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[IKE] sending DPD request
> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[ENC] generating INFORMATIONAL_V1 request 2941x32606 [ HASH N(DPD) ]
> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[ENC] parsed INFORMATIONAL_V1 request 465745044 [ HASH N(DPD_ACK) ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes)
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] parsed QUICK_MODE request 1506132661 [ HASH SA No KE ID ID ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] received 460x000000 lifebytes, configured 0
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] detected rekeying of CHILD_SA sph-main{2}
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] generating QUICK_MODE response 1506132661 [ HASH SA No KE ID ID ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (396 bytes)
> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (60 bytes)
> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[ENC] parsed QUICK_MODE request 1506132661 [ HASH ]
> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[IKE] CHILD_SA sph-main{3} established with SPIs c3cf290a_i 1cab665a_o and TS x.x.0.0/16 === x.x.x.x/2x
>
> Thank you in advance for any insight into resolving this.
>
>
> Sincerely,
>
>
> *Doug Tucker*
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180724/0476d814/attachment-0001.sig>
More information about the Users
mailing list