[strongSwan] REKEYING, IKEv1, forever

karthik kumar kumarkarthikn at gmail.com
Fri Mar 23 12:53:08 CET 2018 

Hi,
  I am setting up route based VPN, the service starts up and VPN tunnel is
created

I have add=route and it should have setup the trap and automatically up'd
the tunnel, (i am running a ping) not sure why it didn't do

*initiating Main Mode IKE_SA Tunnel1[1] to xxxx*
*generating ID_PROT request 0 [ SA V V V V V ]*
*sending packet: from yyyy[500] to xxxx[500] (240 bytes)*
*received packet: from xxxx[500] to yyyy[500] (120 bytes)*
*parsed ID_PROT response 0 [ SA V V ]*
*received NAT-T (RFC 3947) vendor ID*
*received FRAGMENTATION vendor ID*
*generating ID_PROT request 0 [ KE No NAT-D NAT-D ]*
*sending packet: from yyyy[500] to xxxx[500] (308 bytes)*
*received packet: from xxxx[500] to yyyy[500] (368 bytes)*
*parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]*
*received Cisco Unity vendor ID*
*received XAuth vendor ID*
*received unknown vendor ID:
ec:1a:31:1f:a7:a0:7c:e7:04:8f:96:31:e0:51:78:f2*
*received unknown vendor ID:
1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00*
*generating ID_PROT request 0 [ ID HASH ]*
*sending packet: from yyyy[500] to xxxx[500] (76 bytes)*
*received packet: from xxxx[500] to yyyy[500] (92 bytes)*
*parsed ID_PROT response 0 [ ID HASH V ]*
*received DPD vendor ID*
*IKE_SA Tunnel1[1] established between yyyy[yyyy]...xxxx[xxxx]*
*generating QUICK_MODE request 2763822149 [ HASH SA No KE ID ID ]*
*sending packet: from yyyy[500] to xxxx[500] (380 bytes)*
*received packet: from xxxx[500] to yyyy[500] (92 bytes)*
*parsed INFORMATIONAL_V1 request 1304498435 [ HASH N((24576)) ]*
*received (24576) notify*
*received packet: from xxxx[500] to yyyy[500] (396 bytes)*
*parsed QUICK_MODE response 2763822149 [ HASH SA No KE ID ID N((24576)) ]*
*received 28800s lifetime, configured 0s*
*CHILD_SA Tunnel1{2} established with SPIs c9d21ed5_i a0429fc7_o and TS
10.131.0.0/24 <http://10.131.0.0/24> === 10.49.0.0/16 <http://10.49.0.0/16>*
*connection 'Tunnel1' established successfully*


Tunnel1 is in *REKEYING *state forever. Can someone help in understanding
why this is happening ?


*# swanctl --list-sas*
*Tunnel1: #2, ESTABLISHED, IKEv1, 9303a91759fd0ade:f595d3cea90f3978*
*  local  'yyyy' @ yyyy*
*  remote 'xxxx' @ xxxx*
*  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536*
*  established 2262s ago*
*  Tunnel1: #2, reqid 1, INSTALLED, TUNNEL,
ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1536*
*    installed 2262s ago*
*    in  cc71fb62,      0 bytes,     0 packets*
*    out 7b6dd570, 185556 bytes,  2209 packets*
*    local  10.131.0.0/24 <http://10.131.0.0/24>*
*    remote 10.49.0.0/16 <http://10.49.0.0/16>*
*Tunnel1: #1, REKEYING, IKEv1, cb22de82b36ddf5a:882d6338ccc0a906*
*  local  'yyyy' @ yyyy*
*  remote 'xxxx' @ xxxx*
*  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536*



*# strongswan  statusall*
*Status of IKE charon daemon (strongSwan 5.3.2, Linux 4.9.82-...., x86_64):*
*  uptime: 3 minutes, since Mar 23 11:46:46 2018*
*  malloc: sbrk 405504, mmap 0, used 354208, free 51296*
*  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0*
*  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509
revocation constraints acert pubkey pkcs1 pkcs8 pgp dnskey sshkey pem
fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc
eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
xauth-noauth dhcp*
*Listening IP addresses:*
*....*
*Connections:*
*     Tunnel1:  yyyy...xxxx  IKEv1*
*     Tunnel1:   local:  [yyyy] uses pre-shared key authentication*
*     Tunnel1:   remote: [xxxx] uses pre-shared key authentication*
*     Tunnel1:   child:  10.131.0.0/24 <http://10.131.0.0/24> ===
10.49.0.0/16 <http://10.49.0.0/16> TUNNEL*
*Routed Connections:*
*     Tunnel1{1}:  ROUTED, TUNNEL, reqid 1*
*     Tunnel1{1}:   10.131.0.0/24 <http://10.131.0.0/24> === 10.49.0.0/16
<http://10.49.0.0/16>*
*Security Associations (0 up, 0 connecting):*
*  none*


Here is my configs


*config setup*
*  uniqueids=no*

*conn Tunnel1*
*  fragmentation=yes*
*  ikelifetime=60m*
*  keyingtries=%forever*
*  keyexchange=ikev1*
*  authby=secret*
*  leftauth=psk*
*  rightauth=psk*
*  aggressive=no*
*  dpddelay=60*
*  dpdtimeout=300*
*  esp=aes256-sha1-modp1536*
*  lifetime=3600*
*  ike=aes256-sha1-modp1536*
*  ikelifetime=86400*
*  auto=route*
*  left=yyyy*
*  right=xxxx*
*  leftsubnet=10.131.0.0/24 <http://10.131.0.0/24>            *
*  rightsubnet=10.49.0.0/16 <http://10.49.0.0/16>*
*  mark=100*
*  leftupdown="/etc/init.d/updown.sh -ln Tunnel1 -ll 169.254.4.1/30
<http://169.254.4.1/30> -lr 169.254.4.2/30 <http://169.254.4.2/30> -m 100
-r 10.49.0.0/16 <http://10.49.0.0/16>"*

*# ip tunnel show Tunnel1*
*Tunnel1: ip/ip  remote xxxx  local yyyy  ttl inherit  nopmtudisc key 100*

*iptables*
*-A INPUT -s xxxx/32 -d yyyy/32 -p esp -j MARK --set-xmark 0x64/0xffffffff*
*-A INPUT -s xxxx/32 -d yyyy/32 -p esp -j MARK --set-xmark 0x64/0xffffffff*
*-A FORWARD -o Tunnel1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu*
*-A FORWARD -o Tunnel1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu*

*route*
*10.49.0.0/16 <http://10.49.0.0/16> dev Tunnel1  scope link  metric 100*

I tried with rekey=no and reauth=no . I think the otherside is cisco asa
router.

any ideas why could be causing the  *rekeying* state forever. This is
phase2 IPSec SA rekeying right ? I was thinking that add=route sets up trap
and creates the SAs and up the tunnel. *ip xfrm policy* shows policies
created.

Thanks  in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180323/9a69d8f6/attachment.html>

More information about the Users mailing list