[strongSwan] Data traffic gets dropped during ikev2 rekeying after every 28800 secs

george live georgelive2020 at gmail.com
Wed Dec 23 19:52:59 CET 2020


Hi Volodymyr,
I disabled reauth and that fixed the problem.

Thanks,
George

On Tue, Dec 8, 2020 at 8:25 AM george live <georgelive2020 at gmail.com> wrote:

> Hi,
> I have strongswan running ikev2 on aws peering with a cisco asa. The
> tunnel comes up fine but the problem is whenever the rekeying happens, I
> see the data traffic coming down. I have bgp running over IPsec and the tcp
> reset happens whenever the reset happens. Is there any known issue with
> Strongswan that causes this problem?
>
> Below are some of the traces:
>
> Logs showing the rekeying
>
> ======================
>
> 1)
>
> cat /var/log/messages | grep 'restarting CHILD_SA'
>
> Dec  8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC
>
> Dec  8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC
>
>
>
> 2)
>
> Bgp output showing reset at same time and this is very consistent every
> 28800 secs
>
>
>
> bird> show protocols
>
> name     proto    table    state  since       info
>
> ABC_BGP BGP      master   up     14:55:50    Established
>
> bird>
>
>
>
> 2)
>
> ipsec statusall
>
> no files found matching '/etc/strongswan.conf'
>
> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.0-116-generic,
> x86_64):
>
>   uptime: 9 hours, since Dec 08 07:13:17 2020
>
>   malloc: sbrk 2416640, mmap 0, used 456256, free 1960384
>
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 4
>
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke vici updown xauth-generic
>
> Listening IP addresses:
>
>   169.254.254.2
>
>   a.b.c.d
>
>   xx.yy.xx.yy
>
> Connections:
>
>     ABC:  our_ip...customer_ip  IKEv2, dpddelay=10s
>
>     ABC:   local:  [our_ip] uses pre-shared key authentication
>
>     ABC:   remote: uses pre-shared key authentication
>
>     ABC:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
>
> Routed Connections:
>
>     ABC{1}:  ROUTED, TUNNEL, reqid 1
>
>     ABC{1}:   0.0.0.0/0 === 0.0.0.0/0
>
> Security Associations (1 up, 0 connecting):
>
>     ABC[2]: ESTABLISHED 100 minutes ago,
>
> our_ip[our_ip]...cust_ip[cust_ip]
>
>     ABC[2]: IKEv2 SPIs: dbd89039dce34530_i* c205c6cc199e40b9_r, pre-shared
> key reauthentication in 6 hours
>
>     ABC[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>
>     ABC{17}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c069ca3b_i
> 677c60a0_o
>
>     ABC{17}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 70685706 bytes_i
> (67965 pkts, 0s ago), 15688776 bytes_o (43835 pkts, 0s ago), rekeying in 35
> minutes
>
>     ABC{17}:   0.0.0.0/0 === 0.0.0.0/0
>
>     ABC{18}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccde01ee_i
> 1bea569d_o
>
>     ABC{18}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 8469388 bytes_i
> (9394 pkts, 0s ago), 5230408 bytes_o (8191 pkts, 0s ago), rekeying in 47
> minutes
>
>     ABC{18}:   0.0.0.0/0 === 0.0.0.0/0
>
> 3) IPSec config
>
>
>
> cat /etc/ipsec.conf
>
>
>
> config setup
>
>     charondebug="ike 1, knl 0, cfg 0"
>
> conn ABC
>
>     authby=secret
>
>      auto=route
>
>      dpddelay=10
>
>      dpdtimeout=30
>
>      dpdaction=restart
>
>      esp=aes256-sha256-modp2048
>
>      ike=aes256-sha256-modp2048
>
>      ikelifetime=28800s
>
>      lifetime=1h
>
>      keyexchange=ikev2
>
>      keyingtries=%forever
>
>      rekey=yes
>
>      margintime=9m
>
>      # Specifics
>
>      left=our_ip            # Local private ip
>
>      leftsubnet=0.0.0.0/0   # Local VPC Subnet
>
>      leftid=our_ip
>
>      leftfirewall=yes
>
>      rightfirewall=no
>
>      right=cust_ip       # Remote Tunnel IP
>
>      rightid=%any
>
>      rightsubnet=0.0.0.0/0 # Remote VPC Subnet
>
>      type=tunnel
>
>      mark=1000
>
>
>
> 4)
>
> Charon config
>
> cat /etc/strongswan.d/charon.conf
>
> # Options for the charon IKE daemon.
>
> # Do not install routes, otherwise you'll need to  'ip route del table 220
> default' for VTI routing to work
>
> charon {
>
>          install_routes = no
>
>          install_virtual_ip = no
>
>          make_before_break = yes
>
>          delete_rekeyed_delay = 10
>
> }
>
>
> Are there any special configs that will not disrupt the data payload
> traffic during the ikev2 rekeying ?
>
> Best,
> Vick
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201223/a3fd651d/attachment.html>


More information about the Users mailing list