[strongSwan] Tunnel accidentally dies
Rene
rmnet at mailc.net
Fri May 8 12:27:24 CEST 2020
Hello
I have a tunnel to an ipsec server which is not under my control.
The client side is under my control (but only the software, it may be powered randomly).
There is a mobile connection and everything works fine as far as I can see. The mobile connection
is stable and "always" up. But from time to time (after 20 up to 50 hours) the tunnel fails and
"ipsec status" on the client side does not show a Security Association. This state does not change
anymore. I have seen that silent tcp connections are closed by the mobile network after 10 minutes.
This is the journal on the client side:
--------------------------------------------------------------------------------
May 08 07:02:10 charon[2714]: 06[NET] received packet: from x.x.x.x[4500] to 10.154.141.168[4500]
(544 bytes)
May 08 07:02:10 charon[2714]: 06[ENC] parsed CREATE_CHILD_SA request 0 [ SA No KE ]
May 08 07:02:10 charon[2714]: 06[IKE] x.x.x.x is initiating an IKE_SA
May 08 07:02:10 charon[2714]: 06[IKE] x.x.x.x is initiating an IKE_SA
May 08 07:02:12 charon[2714]: 06[ENC] generating CREATE_CHILD_SA response 0 [ SA No KE ]
May 08 07:02:12 charon[2714]: 06[NET] sending packet: from 10.154.141.168[4500] to x.x.x.x[4500]
(560 bytes)
May 08 07:02:12 charon[2714]: 16[IKE] unable to reauthenticate in REKEYING state, delaying for 30s
May 08 07:02:12 charon[2714]: 08[NET] received packet: from x.x.x.x[4500] to 10.154.141.168[4500]
(80 bytes)
May 08 07:02:12 charon[2714]: 08[ENC] parsed INFORMATIONAL request 1 [ D ]
May 08 07:02:12 charon[2714]: 08[IKE] scheduling reauthentication in 3358s
May 08 07:02:12 charon[2714]: 08[IKE] maximum IKE_SA lifetime 3538s
May 08 07:02:12 charon[2714]: 08[IKE] IKE_SA one[23] rekeyed between
10.154.141.168[10.154.141.168]...x.x.x.x[x.x.x.x]
May 08 07:02:12 charon[2714]: 08[IKE] IKE_SA one[23] rekeyed between
10.154.141.168[10.154.141.168]...x.x.x.x[x.x.x.x]
May 08 07:02:12 charon[2714]: 08[IKE] rescheduling reauthentication in 0s after rekeying, lifetime
reduced to 180s
May 08 07:02:12 charon[2714]: 08[IKE] received DELETE for IKE_SA one[22]
May 08 07:02:12 charon[2714]: 08[IKE] deleting IKE_SA one[22] between
10.154.141.168[10.154.141.168]...x.x.x.x[x.x.x.x]
May 08 07:02:12 charon[2714]: 08[IKE] deleting IKE_SA one[22] between
10.154.141.168[10.154.141.168]...x.x.x.x[x.x.x.x]
May 08 07:02:12 charon[2714]: 08[IKE] IKE_SA deleted
May 08 07:02:12 charon[2714]: 08[IKE] IKE_SA deleted
May 08 07:02:12 charon[2714]: 08[ENC] generating INFORMATIONAL response 1 [ ]
May 08 07:02:12 charon[2714]: 08[NET] sending packet: from 10.154.141.168[4500] to x.x.x.x[4500]
(80 bytes)
May 08 07:02:15 charon[2714]: 10[NET] received packet: from x.x.x.x[4500] to 10.154.141.168[4500]
(80 bytes)
May 08 07:02:15 charon[2714]: 10[ENC] parsed INFORMATIONAL request 0 [ ]
May 08 07:02:15 charon[2714]: 10[ENC] generating INFORMATIONAL response 0 [ ]
May 08 07:02:15 charon[2714]: 10[NET] sending packet: from 10.154.141.168[4500] to x.x.x.x[4500]
(80 bytes)
May 08 07:05:12 charon[2714]: 05[IKE] deleting IKE_SA one[23] between
10.154.141.168[10.154.141.168]...x.x.x.x[x.x.x.x]
May 08 07:05:12 charon[2714]: 05[IKE] deleting IKE_SA one[23] between
10.154.141.168[10.154.141.168]...x.x.x.x[x.x.x.x]
May 08 07:05:12 charon[2714]: 05[IKE] sending DELETE for IKE_SA one[23]
May 08 07:05:12 charon[2714]: 05[ENC] generating INFORMATIONAL request 0 [ D ]
May 08 07:05:12 charon[2714]: 05[NET] sending packet: from 10.154.141.168[4500] to x.x.x.x[4500]
(80 bytes)
May 08 07:05:12 charon[2714]: 11[NET] received packet: from x.x.x.x[4500] to 10.154.141.168[4500]
(80 bytes)
May 08 07:05:12 charon[2714]: 11[ENC] parsed INFORMATIONAL response 0 [ ]
May 08 07:05:12 charon[2714]: 11[IKE] IKE_SA deleted
May 08 07:05:12 charon[2714]: 11[IKE] IKE_SA deleted
--------------------------------------------------------------------------------
I assume the problem starts here:
May 08 07:02:12 charon[2714]: 16[IKE] unable to reauthenticate in REKEYING state, delaying for 30s
What does this mean?
# ipsec --version
Linux strongSwan U5.4.0/K4.4.107
René
More information about the Users
mailing list