[strongSwan] Data traffic gets dropped during ikev2 rekeying after every 28800 secs
george live
georgelive2020 at gmail.com
Tue Dec 8 17:25:23 CET 2020
Hi,
I have strongswan running ikev2 on aws peering with a cisco asa. The tunnel
comes up fine but the problem is whenever the rekeying happens, I see the
data traffic coming down. I have bgp running over IPsec and the tcp reset
happens whenever the reset happens. Is there any known issue with
Strongswan that causes this problem?
Below are some of the traces:
Logs showing the rekeying
======================
1)
cat /var/log/messages | grep 'restarting CHILD_SA'
Dec 8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC
Dec 8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC
2)
Bgp output showing reset at same time and this is very consistent every
28800 secs
bird> show protocols
name proto table state since info
ABC_BGP BGP master up 14:55:50 Established
bird>
2)
ipsec statusall
no files found matching '/etc/strongswan.conf'
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.0-116-generic,
x86_64):
uptime: 9 hours, since Dec 08 07:13:17 2020
malloc: sbrk 2416640, mmap 0, used 456256, free 1960384
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic
Listening IP addresses:
169.254.254.2
a.b.c.d
xx.yy.xx.yy
Connections:
ABC: our_ip...customer_ip IKEv2, dpddelay=10s
ABC: local: [our_ip] uses pre-shared key authentication
ABC: remote: uses pre-shared key authentication
ABC: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Routed Connections:
ABC{1}: ROUTED, TUNNEL, reqid 1
ABC{1}: 0.0.0.0/0 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
ABC[2]: ESTABLISHED 100 minutes ago,
our_ip[our_ip]...cust_ip[cust_ip]
ABC[2]: IKEv2 SPIs: dbd89039dce34530_i* c205c6cc199e40b9_r, pre-shared
key reauthentication in 6 hours
ABC[2]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
ABC{17}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c069ca3b_i
677c60a0_o
ABC{17}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 70685706 bytes_i
(67965 pkts, 0s ago), 15688776 bytes_o (43835 pkts, 0s ago), rekeying in 35
minutes
ABC{17}: 0.0.0.0/0 === 0.0.0.0/0
ABC{18}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccde01ee_i
1bea569d_o
ABC{18}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 8469388 bytes_i
(9394 pkts, 0s ago), 5230408 bytes_o (8191 pkts, 0s ago), rekeying in 47
minutes
ABC{18}: 0.0.0.0/0 === 0.0.0.0/0
3) IPSec config
cat /etc/ipsec.conf
config setup
charondebug="ike 1, knl 0, cfg 0"
conn ABC
authby=secret
auto=route
dpddelay=10
dpdtimeout=30
dpdaction=restart
esp=aes256-sha256-modp2048
ike=aes256-sha256-modp2048
ikelifetime=28800s
lifetime=1h
keyexchange=ikev2
keyingtries=%forever
rekey=yes
margintime=9m
# Specifics
left=our_ip # Local private ip
leftsubnet=0.0.0.0/0 # Local VPC Subnet
leftid=our_ip
leftfirewall=yes
rightfirewall=no
right=cust_ip # Remote Tunnel IP
rightid=%any
rightsubnet=0.0.0.0/0 # Remote VPC Subnet
type=tunnel
mark=1000
4)
Charon config
cat /etc/strongswan.d/charon.conf
# Options for the charon IKE daemon.
# Do not install routes, otherwise you'll need to 'ip route del table 220
default' for VTI routing to work
charon {
install_routes = no
install_virtual_ip = no
make_before_break = yes
delete_rekeyed_delay = 10
}
Are there any special configs that will not disrupt the data payload
traffic during the ikev2 rekeying ?
Best,
Vick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201208/0932ee2f/attachment.html>
More information about the Users
mailing list