[strongSwan] IPSEC IKEv2 disconnecting after ~8 hours - Windows 10 Client

Ed Hunter edhunterr at outlook.com
Wed Jan 19 08:31:53 CET 2022 

Hello Tobias,

Thank you for the link. I did have rekey=no before i changed my config and while i could see the tunnel rekeying, after a couple minutes the windows client would disconnect. I did only have rekey=no and not reauth though. These are the logs and config ->


conn VPN_XX _xxxx
      keyexchange=ikev2
      ike=aes256-sha1-modp1024,aes256-sha256-modp2048!
      esp=aes256-sha1,aes256-sha256-modp2048!
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=1.1.1.1
      leftsubnet=0.0.0.0/0
      leftauth=pubkey
      leftcert=VPN-gateway.pem.rsa
      leftid="C=XX, ST=XXXX, L=XXXX, O=XXXXX., OU=XXX, CN=XXXX.XXXX.XXXX"
      right=%any
      rightdns=192.168.132.1,192.168.129.254
      rightsourceip=192.168.148.64/27
      rightgroups=xxxx at xxxxx.xxxx<mailto:rightgroups=xxxx at xxxxx.xxxx>
      rightauth=eap-radius
      eap_identity=%identity
      auto=add




Jan 18 14:15:46 gateway charon: 10[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (348 bytes)
Jan 18 14:15:46 gateway charon: 10[ENC] parsed CREATE_CHILD_SA request 23 [ N(REKEY_SA) SA No TSi TSr ]
Jan 18 14:15:46 gateway charon: 10[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jan 18 14:15:46 gateway charon: 10[IKE] inbound CHILD_SA VPN_XX_xxxx{106878} established with SPIs cd654f29_i 499da7a6_o and TS 0.
0.0.0/0 === 192.168.148.65/32
Jan 18 14:15:46 gateway charon: 10[ENC] generating CREATE_CHILD_SA response 23 [ SA No TSi TSr ]
Jan 18 14:15:46 gateway charon: 10[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (204 bytes)
Jan 18 14:15:46 gateway charon: 13[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes)
Jan 18 14:15:46 gateway charon: 13[ENC] parsed INFORMATIONAL request 24 [ D ]
Jan 18 14:15:46 gateway charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI b067bbf4
Jan 18 14:15:46 gateway charon: 13[IKE] closing CHILD_SA VPN_XX_xxxx{106779} with SPIs c1ce1b3a_i (36620023 bytes) b067bbf4_o (192
63998 bytes) and TS 0.0.0.0/0 === 192.168.148.65/32
Jan 18 14:15:46 gateway charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI c1ce1b3a
Jan 18 14:15:46 gateway charon: 13[IKE] CHILD_SA closed
Jan 18 14:15:46 gateway charon: 13[IKE] outbound CHILD_SA VPN_XX_xxxx{106878} established with SPIs cd654f29_i 499da7a6_o and TS 0
.0.0.0/0 === 192.168.148.65/32
Jan 18 14:15:46 gateway charon: 13[ENC] generating INFORMATIONAL response 24 [ D ]
Jan 18 14:15:46 gateway charon: 13[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)


Jan 18 14:25:45 gateway charon: 07[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (576 bytes)
Jan 18 14:25:45 gateway charon: 07[ENC] parsed CREATE_CHILD_SA request 25 [ EF(1/2) ]
Jan 18 14:25:45 gateway charon: 07[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 18 14:25:45 gateway charon: 06[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Jan 18 14:25:45 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ EF(2/2) ]
Jan 18 14:25:45 gateway charon: 06[ENC] received fragment #2 of 2, reassembled fragmented IKE message (572 bytes)
Jan 18 14:25:45 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ SA KE No N(FRAG_SUP) ]
Jan 18 14:25:45 gateway charon: 06[IKE] 2.2.2.2 is initiating an IKE_SA
Jan 18 14:25:45 gateway charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 18 14:25:45 gateway charon: 06[IKE] IKE_SA VPN_XX_xxxx[72723] rekeyed between 1.1.1.1[C=xx, ST=xxxx, L=xxxx, O=xxxx, OU=xx, CN=xxxx.xxxx.xxxx, E=xx at x]
quaredfinancial.com]...2.2.2.2[192.168.10.2]
Jan 18 14:25:45 gateway charon: 06[ENC] generating CREATE_CHILD_SA response 25 [ SA No KE ]
Jan 18 14:25:45 gateway charon: 06[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (300 bytes)

Jan 18 14:25:46 gateway charon: 09[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (576 bytes)
Jan 18 14:25:46 gateway charon: 09[ENC] parsed CREATE_CHILD_SA request 25 [ EF(1/2) ]
Jan 18 14:25:46 gateway charon: 09[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 18 14:25:46 gateway charon: 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Jan 18 14:25:46 gateway charon: 05[ENC] parsed CREATE_CHILD_SA request 25 [ EF(2/2) ]
Jan 18 14:25:46 gateway charon: 05[ENC] received fragment #2 of 2, reassembled fragmented IKE message (572 bytes)
Jan 18 14:25:46 gateway charon: 05[ENC] parsed CREATE_CHILD_SA request 25 [ SA KE No N(FRAG_SUP) ]
Jan 18 14:25:46 gateway charon: 05[IKE] received retransmit of request with ID 25, retransmitting response
Jan 18 14:25:46 gateway charon: 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (300 bytes)
Jan 18 14:25:47 gateway charon: 04[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (576 bytes)
Jan 18 14:25:47 gateway charon: 04[ENC] parsed CREATE_CHILD_SA request 25 [ EF(1/2) ]
Jan 18 14:25:47 gateway charon: 04[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 18 14:25:47 gateway charon: 13[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Jan 18 14:25:47 gateway charon: 13[ENC] parsed CREATE_CHILD_SA request 25 [ EF(2/2) ]
Jan 18 14:25:47 gateway charon: 13[ENC] received fragment #2 of 2, reassembled fragmented IKE message (572 bytes)
Jan 18 14:25:47 gateway charon: 13[ENC] parsed CREATE_CHILD_SA request 25 [ SA KE No N(FRAG_SUP) ]
Jan 18 14:25:47 gateway charon: 13[IKE] received retransmit of request with ID 25, retransmitting response
Jan 18 14:25:47 gateway charon: 13[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (300 bytes)
Jan 18 14:25:50 gateway charon: 11[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (576 bytes)
Jan 18 14:25:50 gateway charon: 11[ENC] parsed CREATE_CHILD_SA request 25 [ EF(1/2) ]
Jan 18 14:25:50 gateway charon: 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 18 14:25:50 gateway charon: 15[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Jan 18 14:25:50 gateway charon: 15[ENC] parsed CREATE_CHILD_SA request 25 [ EF(2/2) ]
Jan 18 14:25:50 gateway charon: 15[ENC] received fragment #2 of 2, reassembled fragmented IKE message (572 bytes)
Jan 18 14:25:50 gateway charon: 15[ENC] parsed CREATE_CHILD_SA request 25 [ SA KE No N(FRAG_SUP) ]
Jan 18 14:25:50 gateway charon: 15[IKE] received retransmit of request with ID 25, retransmitting response
Jan 18 14:25:50 gateway charon: 15[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (300 bytes)
Jan 18 14:25:58 gateway charon: 08[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (576 bytes)
Jan 18 14:25:58 gateway charon: 08[ENC] parsed CREATE_CHILD_SA request 25 [ EF(1/2) ]
Jan 18 14:25:58 gateway charon: 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 18 14:25:58 gateway charon: 14[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Jan 18 14:25:58 gateway charon: 14[ENC] parsed CREATE_CHILD_SA request 25 [ EF(2/2) ]
Jan 18 14:25:58 gateway charon: 14[ENC] received fragment #2 of 2, reassembled fragmented IKE message (572 bytes)
Jan 18 14:25:58 gateway charon: 14[ENC] parsed CREATE_CHILD_SA request 25 [ SA KE No N(FRAG_SUP) ]
Jan 18 14:25:58 gateway charon: 14[IKE] received retransmit of request with ID 25, retransmitting response
Jan 18 14:25:58 gateway charon: 14[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (300 bytes)
Jan 18 14:26:12 gateway charon: 07[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (576 bytes)
Jan 18 14:26:12 gateway charon: 07[ENC] parsed CREATE_CHILD_SA request 25 [ EF(1/2) ]
Jan 18 14:26:12 gateway charon: 07[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 18 14:26:12 gateway charon: 06[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Jan 18 14:26:12 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ EF(2/2) ]
Jan 18 14:26:12 gateway charon: 06[ENC] received fragment #2 of 2, reassembled fragmented IKE message (572 bytes)
Jan 18 14:26:12 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ SA KE No N(FRAG_SUP) ]
Jan 18 14:26:12 gateway charon: 06[IKE] received retransmit of request with ID 25, retransmitting response
Jan 18 14:26:12 gateway charon: 06[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (300 bytes)
Jan 18 14:26:40 gateway charon: 04[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (576 bytes)
Jan 18 14:26:40 gateway charon: 04[ENC] parsed CREATE_CHILD_SA request 25 [ EF(1/2) ]
Jan 18 14:26:40 gateway charon: 04[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 18 14:26:40 gateway charon: 08[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Jan 18 14:26:40 gateway charon: 08[ENC] parsed CREATE_CHILD_SA request 25 [ EF(2/2) ]
Jan 18 14:26:40 gateway charon: 08[ENC] received fragment #2 of 2, reassembled fragmented IKE message (572 bytes)
Jan 18 14:26:40 gateway charon: 08[ENC] parsed CREATE_CHILD_SA request 25 [ SA KE No N(FRAG_SUP) ]
Jan 18 14:26:40 gateway charon: 08[IKE] received retransmit of request with ID 25, retransmitting response
Jan 18 14:26:40 gateway charon: 08[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (300 bytes)


Jan 18 14:35:38 gateway charon: 04[IKE] retransmit 1 of request with message ID 0
Jan 18 14:35:38 gateway charon: 04[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)

Jan 18 14:35:45 gateway charon: 09[IKE] retransmit 2 of request with message ID 0
Jan 18 14:35:45 gateway charon: 09[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)

Jan 18 14:35:58 gateway charon: 14[IKE] retransmit 3 of request with message ID 0
Jan 18 14:35:58 gateway charon: 14[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)

Jan 18 14:36:22 gateway charon: 13[IKE] retransmit 4 of request with message ID 0
Jan 18 14:36:22 gateway charon: 13[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)

Jan 18 14:37:04 gateway charon: 12[IKE] retransmit 5 of request with message ID 0
Jan 18 14:37:04 gateway charon: 12[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)



Jan 18 14:38:19 gateway charon: 13[IKE] giving up after 5 retransmits
Jan 18 14:38:19 gateway charon: 13[IKE] proper IKE_SA delete failed, peer not responding
Jan 18 14:38:19 gateway charon: 13[CFG] lease 192.168.148.65 by 'DOMAIN_X\user1' went offline


The weird thing is, if i force the rekey with stroke, it works ok..

I added reauth=no to the config now. Lets see if it rekeys.

Thanks.



On 17 Jan 2022, at 15:50, Tobias Brunner <tobias at strongswan.org> wrote:

Hi Ed,

I did change ikelifetime to 360m (6 hrs) but i am still having issues. Could that still be the cipher?

No, you want to disable reauthentication (reauth=no) so the IKE_SA is actually rekeyed to avoid this error:

These are the logs after modifying ikelifetime so thst the strongswan server initiates the rekey before windows ->
   charon: 06[IKE] initiator did not reauthenticate as requested____

   charon: 06[IKE] IKE_SA VPN_x_xxxx[71277] will timeout in 3 minutes____

A related ticket can be found at [1].

Regards,
Tobias

[1] https://wiki.strongswan.org/issues/3400
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220119/c80a1b31/attachment-0001.html>

More information about the Users mailing list