[strongSwan] Remote site dies for no reason?
Rene Maurer
rmnet at mailc.net
Fri Oct 21 07:47:30 CEST 2022
Hi Noel
> Does this mean that dpddelay and dpdtimeout obsolete?
Sorry, I did not understand the documentation at the first attempt, I think, I understand now. It is only about the retransmissions. I try to set the global timeouts sharper.
But the log in the original posting indicates that the remote station is no longer responding or am I wrong?
Kind regards
René
On 21.10.2022 Rene Maurer wrote:
> Hi Noel
>
> Thank you very much.
>
>> With IKEv2 the global ikev2 timeouts are used.
>> See https://docs.strongswan.org/docs/6.0/config/retransmission.htm
>
> Ok. Does this mean that dpddelay and dpdtimeout obsolete?
> What about dpdaction=restart, will this remain in ipsec.conf?
>
> Kind regards
> René
>
>> On 20.10.22 10:45, Noel Kuntze wrote:
>> Hi Rene,
>>
>> With IKEv2 the global ikev2 timeouts are used.
>> Change charon.retransmit_base, charon.retransmit_jitter, charon.retransmit_limit, charon.retransmit_timeout, charon.retransmit_tries as required to achieve the desired timeout.
>> See https://docs.strongswan.org/docs/6.0/config/retransmission.html for details
>>
>> Kind regards
>> Noel Kuntze
>>
>> On 20.10.22 10:45, Rene Maurer wrote:
>>> Hello
>>>
>>> We are using strongSwan U5.4.0/K4.4.107 (embedded device) and making an ipec connection to a remote CISCO system.
>>>
>>> From time to time we see the following behavior (tunnel seams to stop working):
>>>
>>> ------------------------------------------------------------------------
>>> Oct 20 09:32:33 EGV charon[656]: 13[KNL] creating rekey job for CHILD_SA ESP/0xc5ff03b6/xx.xxx.xxx.xxx
>>> Oct 20 09:32:33 EGV charon[656]: 13[IKE] establishing CHILD_SA one{1}
>>> Oct 20 09:32:33 EGV charon[656]: 13[IKE] establishing CHILD_SA one{1}
>>> Oct 20 09:32:33 EGV charon[656]: 13[ENC] generating CREATE_CHILD_SA request 24388 [ N(REKEY_SA) SA No KE TSi TSr ]
>>> Oct 20 09:32:33 EGV charon[656]: 13[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (309 bytes)
>>> Oct 20 09:32:33 EGV charon[656]: 08[NET] received packet: from xx.xxx.xxx.xxx[4500] to 10.162.225.65[4500] (297 bytes)
>>> Oct 20 09:32:33 EGV charon[656]: 08[ENC] parsed CREATE_CHILD_SA response 24388 [ SA No KE TSi TSr ]
>>> Oct 20 09:32:33 EGV charon[656]: 08[IKE] CHILD_SA one{93} established with SPIs c70a8723_i a5e30c1d_o and TS 10.162.110.160/29 === 10.0.0.0/8
>>> Oct 20 09:32:33 EGV charon[656]: 08[IKE] CHILD_SA one{93} established with SPIs c70a8723_i a5e30c1d_o and TS 10.162.110.160/29 === 10.0.0.0/8
>>> Oct 20 09:32:33 EGV charon[656]: 08[IKE] closing CHILD_SA one{92} with SPIs ca335ba8_i (21496 bytes) c5ff03b6_o (21496 bytes) and TS 10.162.110.160/29 === 10.0.0.0/8
>>> Oct 20 09:32:33 EGV charon[656]: 08[IKE] closing CHILD_SA one{92} with SPIs ca335ba8_i (21496 bytes) c5ff03b6_o (21496 bytes) and TS 10.162.110.160/29 === 10.0.0.0/8
>>> Oct 20 09:32:33 EGV charon[656]: 08[IKE] sending DELETE for ESP CHILD_SA with SPI ca335ba8
>>> Oct 20 09:32:33 EGV charon[656]: 08[ENC] generating INFORMATIONAL request 24389 [ D ]
>>> Oct 20 09:32:33 EGV charon[656]: 08[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (69 bytes)
>>> Oct 20 09:32:33 EGV charon[656]: 14[NET] received packet: from xx.xxx.xxx.xxx[4500] to 10.162.225.65[4500] (69 bytes)
>>> Oct 20 09:32:33 EGV charon[656]: 14[ENC] parsed INFORMATIONAL response 24389 [ D ]
>>> Oct 20 09:32:33 EGV charon[656]: 14[IKE] received DELETE for ESP CHILD_SA with SPI c5ff03b6
>>> Oct 20 09:32:33 EGV charon[656]: 14[IKE] CHILD_SA closed
>>> Oct 20 09:32:37 EGV charon[656]: 10[IKE] sending DPD request
>>> Oct 20 09:32:37 EGV charon[656]: 10[ENC] generating INFORMATIONAL request 24390 [ ]
>>> Oct 20 09:32:37 EGV charon[656]: 10[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Oct 20 09:32:37 EGV charon[656]: 16[NET] received packet: from xx.xxx.xxx.xxx[4500] to 10.162.225.65[4500] (57 bytes)
>>> Oct 20 09:32:37 EGV charon[656]: 16[ENC] parsed INFORMATIONAL response 24390 [ ]
>>> Oct 20 09:32:38 EGV charon[656]: 14[NET] received packet: from xx.xxx.xxx.xxx[4500] to 10.162.225.65[4500] (57 bytes)
>>> Oct 20 09:32:38 EGV charon[656]: 14[ENC] parsed INFORMATIONAL request 7089 [ ]
>>> Oct 20 09:32:38 EGV charon[656]: 14[ENC] generating INFORMATIONAL response 7089 [ ]
>>> Oct 20 09:32:38 EGV charon[656]: 14[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Oct 20 09:32:40 EGV charon[656]: 08[IKE] sending DPD request
>>> Oct 20 09:32:40 EGV charon[656]: 08[ENC] generating INFORMATIONAL request 24391 [ ]
>>> Oct 20 09:32:40 EGV charon[656]: 08[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Oct 20 09:32:40 EGV charon[656]: 06[NET] received packet: from xx.xxx.xxx.xxx[4500] to 10.162.225.65[4500] (57 bytes)
>>> Oct 20 09:32:40 EGV charon[656]: 06[ENC] parsed INFORMATIONAL response 24391 [ ]
>>> Oct 20 09:32:43 EGV charon[656]: 07[IKE] sending DPD request
>>> Oct 20 09:32:43 EGV charon[656]: 07[ENC] generating INFORMATIONAL request 24392 [ ]
>>> Oct 20 09:32:43 EGV charon[656]: 07[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Oct 20 09:32:47 EGV charon[656]: 06[IKE] retransmit 1 of request with message ID 24392
>>> Oct 20 09:32:47 EGV charon[656]: 06[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Oct 20 09:32:54 EGV charon[656]: 09[IKE] retransmit 2 of request with message ID 24392
>>> Oct 20 09:32:54 EGV charon[656]: 09[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Ping::PingHost, send ping to xx.xxx.xxx.xxx, ret 8
>>> Ping::PingHost, ping reply received
>>> Oct 20 09:33:02 EGV charon[656]: 11[NET] received packet: from xx.xxx.xxx.xxx[4500] to 10.162.225.65[4500] (57 bytes)
>>> Oct 20 09:33:02 EGV charon[656]: 11[ENC] parsed INFORMATIONAL request 7090 [ ]
>>> Oct 20 09:33:02 EGV charon[656]: 11[ENC] generating INFORMATIONAL response 7090 [ ]
>>> Oct 20 09:33:02 EGV charon[656]: 11[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Oct 20 09:33:02 EGV charon[656]: 13[MGR] ignoring request with ID 7090, already processing
>>> Oct 20 09:33:02 EGV charon[656]: 07[MGR] ignoring request with ID 7090, already processing
>>> Oct 20 09:33:02 EGV charon[656]: 07[MGR] ignoring request with ID 7090, already processing
>>> Oct 20 09:33:07 EGV charon[656]: 15[IKE] retransmit 3 of request with message ID 24392
>>> Oct 20 09:33:07 EGV charon[656]: 15[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> tunnel ping to 10.162.100.126 failed (1)
>>> tunnel ping to 10.162.100.126 failed (2)
>>> tunnel ping to 10.162.100.126 failed (3)
>>> Oct 20 09:33:30 EGV charon[656]: 15[IKE] retransmit 4 of request with message ID 24392
>>> Oct 20 09:33:30 EGV charon[656]: 15[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> Ping::PingHost, send ping to xx.xxx.xxx.xxx, ret 8
>>> Ping::PingHost, ping reply received
>>> tunnel ping to 10.162.100.126 failed (1)
>>> tunnel ping to 10.162.100.126 failed (2)
>>> Oct 20 09:34:12 EGV charon[656]: 15[IKE] retransmit 5 of request with message ID 24392
>>> Oct 20 09:34:12 EGV charon[656]: 15[NET] sending packet: from 10.162.225.65[4500] to xx.xxx.xxx.xxx[4500] (57 bytes)
>>> tunnel ping to 10.162.100.126 failed (3)
>>> 2022-10-20 09:34:13 restart ipsec
>>> ------------------------------------------------------------------------
>>>
>>> The remote side is pinged from once per minute, if this fails two consecutive times ipsec is restarted on the local side (this is what you see at the end, we can also remove this).
>>>
>>> How should we interpret the log. Does ipsec on the remote side simply no longer respond? Or is that to be understood differently?
>>>
>>> What we also do not understand:
>>>
>>> We have
>>>
>>> ikelifetime=86400
>>> keylife=1090
>>> fragmentation=yes
>>> mobike=yes
>>> dpddelay=2
>>> dpdtimeout=10
>>> dpdaction=restart
>>> rekeymargin=3m
>>> keyingtries=%forever
>>> keyexchange=ikev2
>>>
>>> Why is ipsec not restarted locally with the above dpd-settings?
>>>
>>> Best regards
>>> René
--
Liebe Grüsse
René
More information about the Users
mailing list