[strongSwan] Disconnect issue with Windows native client

Chris Sherry smilinjoe at gmail.com
Thu May 7 17:57:18 CEST 2020 

I have an issue that's a bit off topic, but I am not finding any answers
elsewhere.

I have a VPN solution that uses Fortinet firewalls as the IKEV2 dialup
server. Most of the clients are using the native OS VPN client. Android and
Linux use Strongswan as the client. My issue is all my Windows clients
disconnect just short of 8 hours. I have been troubleshooting this with
Microsoft, and we have collected traces/logs/debugs/pcaps of both the start
of the sessions and the disconnect. What we are seeing is the client
sending a CREATE_CHILD request around 10 mins before disconnect:

2020-04-29 08:07:48.412159 ike 3: comes
<CLIENT>:64916-><SERVER>:4500,ifindex=8....
2020-04-29 08:07:48.412193 ike 3: IKEv2 exchange=CREATE_CHILD
id=5d8de86e535542e2/948c1c910eb938e4:00000017 len=84
2020-04-29 08:07:48.412223 ike 3: in
5D8DE86E535542E2948C1C910EB938E435202408000000170000005400000038000200024A4594698B4D940D0EA2EA504C7581121DF2E0A27C11B3252D16C24673261A81E6F18EE6D334F2CAB4E7EE4462D2D948
2020-04-29 08:07:48.412275 ike 3:ikev2_vpn_0:109665: request msgid = 23,
expected 24

This happens 10 times and then the client disconnects.

Phase 1 negotiates with a lifetime of 86400 (24 hours):

2020-04-29 00:25:38.418147 ike 3:5d8de86e535542e2/0000000000000000:109665:
matched proposal id 4
2020-04-29 00:25:38.418174 ike 3:5d8de86e535542e2/0000000000000000:109665:
proposal id = 4:
2020-04-29 00:25:38.418196 ike 3:5d8de86e535542e2/0000000000000000:109665:
  protocol = IKEv2:
2020-04-29 00:25:38.418218 ike 3:5d8de86e535542e2/0000000000000000:109665:
     encapsulation = IKEv2/none
2020-04-29 00:25:38.418265 ike 3:5d8de86e535542e2/0000000000000000:109665:
        type=ENCR, val=AES_CBC (key_len = 256)
2020-04-29 00:25:38.418288 ike 3:5d8de86e535542e2/0000000000000000:109665:
        type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2020-04-29 00:25:38.418310 ike 3:5d8de86e535542e2/0000000000000000:109665:
        type=PRF, val=PRF_HMAC_SHA2_256
2020-04-29 00:25:38.418332 ike 3:5d8de86e535542e2/0000000000000000:109665:
        type=DH_GROUP, val=MODP1024.
2020-04-29 00:25:38.418354 ike 3:5d8de86e535542e2/0000000000000000:109665:
lifetime=86400
2020-04-29 00:25:38.418380 ike 3:5d8de86e535542e2/0000000000000000:109665:
SA proposal chosen, matched gateway ikev2_vpn

...and Phase 2:

2020-04-29 00:26:08.041641 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: matched
proposal id 1
2020-04-29 00:26:08.041664 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: proposal
id = 1:
2020-04-29 00:26:08.041686 ike 3:ikev2_vpn:109665:ikev2_vpn:42893:
protocol = ESP:
2020-04-29 00:26:08.041708 ike 3:ikev2_vpn:109665:ikev2_vpn:42893:
 encapsulation = TUNNEL
2020-04-29 00:26:08.041730 ike 3:ikev2_vpn:109665:ikev2_vpn:42893:
type=ENCR, val=AES_CBC (key_len = 256)
2020-04-29 00:26:08.041752 ike 3:ikev2_vpn:109665:ikev2_vpn:42893:
type=INTEGR, val=SHA
2020-04-29 00:26:08.041774 ike 3:ikev2_vpn:109665:ikev2_vpn:42893:
type=ESN, val=NO
2020-04-29 00:26:08.041796 ike 3:ikev2_vpn:109665:ikev2_vpn:42893:
PFS is disabled
2020-04-29 00:26:08.041818 ike 3:ikev2_vpn:109665:ikev2_vpn:42893:
lifetime=43200

Auth is PEAP or EAP-MS-CHAPV2.

Any ideas on this? MS doesn't seem to understand what's going on, they are
keying in on the " 2020-04-29 08:07:48.412275 ike 3:ikev2_vpn_0:109665:
request msgid = 23, expected 24" error. I'd like to know what that means as
well. At this point I am just asking to extend the disconnect to say 12
hours so our users can get through a work day without being disconnected.

Thanks,
Chris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200507/f54e2e9e/attachment.html>

More information about the Users mailing list