[strongSwan] OPNsense - phase 2 SAs being dropped for no apparent reason

[Patrick M. Hausen]

Hello,

we migrated our ancient Sidewinder firewalls to OPNsense which
comes with strongSwan as the IPsec implementation.

We have various static gateway-gateway tunnels from our infrastructure
to our customers'.

Although the entire migration was all in all successful and rather smooth
given the complexity of such a project, we still have a bit of trouble with
some but not all of the tunnels.

While the phase 1 SAs seem to be up and running, a part - or depending
on the peer - all phase 2 SAs are dropped from time to time and not
re-established.

The version OPNsense uses seems to be:

	strongSwan swanctl 5.9.3

A typical phase 2 entry that gives us trouble:

	conn con5-000
	  aggressive = no
	  fragmentation = yes
	  keyexchange = ikev1
	  mobike = yes
	  reauth = yes
	  rekey = yes
	  forceencaps = no
	  installpolicy = yes
	  type = tunnel  
  
	  keyingtries = %forever
	  left = *.*.*.*
	  right = *.*.*.*
  
	  leftid = *.*.*.*
	  ikelifetime = 28800s
	  lifetime = 3600s
	  ike = aes256-sha1-modp1536!
	  leftauth = psk
	  rightauth = psk
	  rightid = *.*.*.*
	  reqid = 21
	  rightsubnet = *.*.*.*/24
	  leftsubnet = *.*.*.*/23
	  esp = aes256-sha1-modp1536!
	  auto = start

The system at the other end is a Cisco ASA 5516-X.
The use of SHA1 is due to our old Sidewinder, but before I change the settings
I need to get those tunnels stable again. I have one peering successfully moved
to IKEv2 and more modern crypto, but there also SAs drop. Only less frequently.

The phase 1 entries are all set to "start immediately" - these are all 24x7
pre-configured connections, though we use IKE, of course, and not manual SPDs.

Perusing a search engine and looking at the logs it seems to me that our partner
gateway is sending a regular "close" request for some unknown reason.
Then a new one never gets established unless I restart the service on our side.

What is the reasoning behind this? I found that there is a "closeaction" option
that is per default set to "none". This is not exposed by the OPNsense UI, but
I am perfectly willing to put that work in myself and improve OPNSense in that respect.

My reason for this mail is asking for a recommendation on the best options for a

	"this is a gateway to gateway tunnel and as soon as it drops keep throwing
	packets at the remote until it is up again"

configuration. Obviously the Sidewinder must have done something like that, but
it's a closed source black box, so I cannot be sure if that really is the difference/culprit.
For the moment "closeaction" is my best bet.

There is traffic. We monitor the remote customer systems with Zabbix so there is
always traffic present, still the tunnels stay down.

Any advice greatly appreciated. Thanks for your time.
Patrick
-- 
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Kaiserallee 13a
76133 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
info at punkt.de

AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein