Hi Paul
No, config lines are not ignored. Here is status output, it shows
'ike_life: 86400s' and 'ipsec_life: 28800s' implemented
[root@vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2
000 "bkp/0x2":
172.16.80.0/20===11.22.33.44<11.22.33.44>...55.66.77.88<55.66.77.88>===10.1.102.0/24;
erouted; eroute owner: #94673
000 "bkp/0x2": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "bkp/0x2": xauth us:none, xauth them:none, my_username=[any];
their_username=[any]
000 "bkp/0x2": our auth:secret, their auth:secret
000 "bkp/0x2": modecfg info: us:none, them:none, modecfg policy:push,
dns:unset, domains:unset, banner:unset, cat:unset;
000 "bkp/0x2": policy_label:unset;
000 "bkp/0x2": ike_life: 86400s; ipsec_life: 28800s; replay_window:
32; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;
000 "bkp/0x2": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "bkp/0x2": initial-contact:yes; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bkp/0x2": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "bkp/0x2": v2-auth-hash-policy: none;
000 "bkp/0x2": conn_prio: 20,24; interface: bond0.5; metric: 0; mtu:
unset; sa_prio:auto; sa_tfc:none;
000 "bkp/0x2": nflog-group: unset; mark: unset; vti-iface:unset;
vti-routing:no; vti-shared:no; nic-offload:auto;
000 "bkp/0x2": our idtype: ID_IPV4_ADDR; our id=11.22.33.44; their
idtype: ID_IPV4_ADDR; their id=55.66.77.88
000 "bkp/0x2": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "bkp/0x2": newest ISAKMP SA: #94672; newest IPsec SA: #94673;
000 "bkp/0x2": aliases: bkp
000 "bkp/0x2": IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048
000 "bkp/0x2": ESP algorithm newest: AES_CBC_256-HMAC_SHA2_256_128;
pfsgroup=<Phase1>
000 #94672: "bkp/0x2":500 STATE_PARENT_I3 (PARENT SA established);
EVENT_SA_REKEY in 79663s; newest ISAKMP; idle;
Here is log (grep'ed by 'bkp/0x2' too):
May 14 09:09:26.961678: added connection description "bkp/0x1"
May 14 09:09:26.961850: added connection description "bkp/0x2"
May 14 09:09:26.962022: added connection description "bkp/0x3"
May 14 09:09:26.962146: added connection description "bkp/0x4"
May 14 09:09:45.765182: "bkp/0x2" #94267: initiating IKEv2 IKE SA
May 14 09:09:45.765214: "bkp/0x2": local IKE proposals (IKE SA initiator
selecting KE):
May 14 09:09:45.765223: "bkp/0x2":
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
May 14 09:09:45.765229: "bkp/0x2":
2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
May 14 09:09:45.765235: "bkp/0x2":
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
May 14 09:09:45.765241: "bkp/0x2":
4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
May 14 09:09:45.766146: "bkp/0x2" #94267: STATE_PARENT_I1: sent v2I1,
expected v2R1
May 14 09:09:45.805238: "bkp/0x2" #94267: sending INITIAL_CONTACT
May 14 09:09:45.805354: "bkp/0x2": local ESP/AH proposals (IKE SA
initiator emitting ESP/AH proposals):
May 14 09:09:45.805365: "bkp/0x2": 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED
May 14 09:09:45.805370: "bkp/0x2": 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED
May 14 09:09:45.805375: "bkp/0x2":
3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
May 14 09:09:45.805380: "bkp/0x2":
4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
May 14 09:09:45.805415: "bkp/0x2" #94268: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
May 14 09:09:45.842717: "bkp/0x2" #94268: IKEv2 mode peer ID is
ID_IPV4_ADDR: '55.66.77.88'
May 14 09:09:45.842836: "bkp/0x2" #94268: Authenticated using authby=secret
May 14 09:09:45.873138: "bkp/0x2" #94268: negotiated connection
[172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 09:09:45.873173: "bkp/0x2" #94268: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0x2c052ce7 <0xa8985bfa
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 10:17:15.373003: "bkp/0x2" #94268: deleting other state #94268
(STATE_CHILDSA_DEL) aged 4049.567s and NOT sending notification
May 14 10:17:15.393644: "bkp/0x2" #94267: deleting state
(STATE_IKESA_DEL) aged 4049.628s and NOT sending notification
May 14 10:17:15.393727: "bkp/0x2" #94267: deleting IKE SA but connection
is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 10:17:15.393939: "bkp/0x2": initiating connection which received
a Delete/Notify but must remain up per local policy
May 14 10:17:15.394011: "bkp/0x2" #94344: initiating IKEv2 IKE SA
May 14 10:17:15.395556: "bkp/0x2" #94344: STATE_PARENT_I1: sent v2I1,
expected v2R1
May 14 10:17:15.435288: "bkp/0x2" #94344: sending INITIAL_CONTACT
May 14 10:17:15.435418: "bkp/0x2" #94345: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
May 14 10:17:15.472627: "bkp/0x2" #94345: IKEv2 mode peer ID is
ID_IPV4_ADDR: '55.66.77.88'
May 14 10:17:15.472730: "bkp/0x2" #94345: Authenticated using authby=secret
May 14 10:17:15.480988: "bkp/0x2" #94345: negotiated connection
[172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 10:17:15.481004: "bkp/0x2" #94345: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0x7c43602b <0x229a1b14
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 11:09:06.248788: "bkp/0x2" #94345: deleting other state #94345
(STATE_CHILDSA_DEL) aged 3110.813s and NOT sending notification
May 14 11:09:06.257425: "bkp/0x2" #94344: deleting state
(STATE_IKESA_DEL) aged 3110.863s and NOT sending notification
May 14 11:09:06.257479: "bkp/0x2" #94344: deleting IKE SA but connection
is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 11:09:06.257584: "bkp/0x2": initiating connection which received
a Delete/Notify but must remain up per local policy
May 14 11:09:06.257621: "bkp/0x2" #94406: initiating IKEv2 IKE SA
May 14 11:09:06.258423: "bkp/0x2" #94406: STATE_PARENT_I1: sent v2I1,
expected v2R1
May 14 11:09:06.297743: "bkp/0x2" #94406: sending INITIAL_CONTACT
May 14 11:09:06.297895: "bkp/0x2" #94407: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
May 14 11:09:06.335092: "bkp/0x2" #94407: IKEv2 mode peer ID is
ID_IPV4_ADDR: '55.66.77.88'
May 14 11:09:06.335208: "bkp/0x2" #94407: Authenticated using authby=secret
May 14 11:09:06.344054: "bkp/0x2" #94407: negotiated connection
[172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 11:09:06.344073: "bkp/0x2" #94407: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0x03f2c7bd <0xfb8a1abc
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 11:42:01.679896: "bkp/0x2" #94407: deleting other state #94407
(STATE_CHILDSA_DEL) aged 1975.382s and NOT sending notification
May 14 11:42:01.688602: "bkp/0x2" #94406: deleting state
(STATE_IKESA_DEL) aged 1975.430s and NOT sending notification
May 14 11:42:01.688648: "bkp/0x2" #94406: deleting IKE SA but connection
is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 11:42:01.688746: "bkp/0x2": initiating connection which received
a Delete/Notify but must remain up per local policy
May 14 11:42:01.688783: "bkp/0x2" #94484: initiating IKEv2 IKE SA
May 14 11:42:01.689662: "bkp/0x2" #94484: STATE_PARENT_I1: sent v2I1,
expected v2R1
May 14 11:42:01.728796: "bkp/0x2" #94484: sending INITIAL_CONTACT
May 14 11:42:01.728933: "bkp/0x2" #94485: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
May 14 11:42:01.765982: "bkp/0x2" #94485: IKEv2 mode peer ID is
ID_IPV4_ADDR: '55.66.77.88'
May 14 11:42:01.766085: "bkp/0x2" #94485: Authenticated using authby=secret
May 14 11:42:01.775101: "bkp/0x2" #94485: negotiated connection
[172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 11:42:01.775123: "bkp/0x2" #94485: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0x05505a16 <0xaae8487c
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 11:47:08.277952: "bkp/0x2" #94484: received duplicate
INFORMATIONAL message request (Message ID 9); retransmitting response
May 14 12:42:01.800669: "bkp/0x2" #94485: deleting other state #94485
(STATE_CHILDSA_DEL) aged 3600.071s and NOT sending notification
May 14 12:42:01.809408: "bkp/0x2" #94484: deleting state
(STATE_IKESA_DEL) aged 3600.120s and NOT sending notification
May 14 12:42:01.809451: "bkp/0x2" #94484: deleting IKE SA but connection
is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 12:42:01.809543: "bkp/0x2": initiating connection which received
a Delete/Notify but must remain up per local policy
May 14 12:42:01.809578: "bkp/0x2" #94561: initiating IKEv2 IKE SA
May 14 12:42:01.810478: "bkp/0x2" #94561: STATE_PARENT_I1: sent v2I1,
expected v2R1
May 14 12:42:01.849643: "bkp/0x2" #94561: sending INITIAL_CONTACT
May 14 12:42:01.849803: "bkp/0x2" #94562: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
May 14 12:42:01.886922: "bkp/0x2" #94562: IKEv2 mode peer ID is
ID_IPV4_ADDR: '55.66.77.88'
May 14 12:42:01.887031: "bkp/0x2" #94562: Authenticated using authby=secret
May 14 12:42:01.896422: "bkp/0x2" #94562: negotiated connection
[172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 12:42:01.896442: "bkp/0x2" #94562: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0xd4e799d0 <0xe0be8f7e
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 13:30:01.525511: "bkp/0x2" #94562: deleting other state #94562
(STATE_CHILDSA_DEL) aged 2879.675s and NOT sending notification
May 14 13:30:01.534942: "bkp/0x2" #94561: deleting state
(STATE_IKESA_DEL) aged 2879.725s and NOT sending notification
May 14 13:30:01.534995: "bkp/0x2" #94561: deleting IKE SA but connection
is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 13:30:01.535098: "bkp/0x2": initiating connection which received
a Delete/Notify but must remain up per local policy
May 14 13:30:01.535136: "bkp/0x2" #94628: initiating IKEv2 IKE SA
May 14 13:30:01.535996: "bkp/0x2" #94628: STATE_PARENT_I1: sent v2I1,
expected v2R1
May 14 13:30:01.575206: "bkp/0x2" #94628: sending INITIAL_CONTACT
May 14 13:30:01.575343: "bkp/0x2" #94629: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
May 14 13:30:01.612611: "bkp/0x2" #94629: IKEv2 mode peer ID is
ID_IPV4_ADDR: '55.66.77.88'
May 14 13:30:01.612716: "bkp/0x2" #94629: Authenticated using authby=secret
May 14 13:30:01.621267: "bkp/0x2" #94629: negotiated connection
[172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 13:30:01.621283: "bkp/0x2" #94629: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0x77334e93 <0xd5474f6f
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 13:46:52.558578: "bkp/0x2" #94628: received duplicate
INFORMATIONAL message request (Message ID 32); retransmitting response
May 14 14:00:01.944278: "bkp/0x2" #94629: deleting other state #94629
(STATE_CHILDSA_DEL) aged 1800.369s and NOT sending notification
May 14 14:00:01.953181: "bkp/0x2" #94628: deleting state
(STATE_IKESA_DEL) aged 1800.418s and NOT sending notification
May 14 14:00:01.953235: "bkp/0x2" #94628: deleting IKE SA but connection
is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 14:00:01.953334: "bkp/0x2": initiating connection which received
a Delete/Notify but must remain up per local policy
May 14 14:00:01.953376: "bkp/0x2" #94672: initiating IKEv2 IKE SA
May 14 14:00:01.954247: "bkp/0x2" #94672: STATE_PARENT_I1: sent v2I1,
expected v2R1
May 14 14:00:02.005553: "bkp/0x2" #94672: sending INITIAL_CONTACT
May 14 14:00:02.005687: "bkp/0x2" #94673: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
May 14 14:00:02.042487: "bkp/0x2" #94673: IKEv2 mode peer ID is
ID_IPV4_ADDR: '55.66.77.88'
May 14 14:00:02.042589: "bkp/0x2" #94673: Authenticated using authby=secret
May 14 14:00:02.051502: "bkp/0x2" #94673: negotiated connection
[172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 14:00:02.051522: "bkp/0x2" #94673: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0xc2f3aa1d <0x5e50bde1
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
14.05.2021 14:51, Paul Wouters пишет:
If you have those empty lines in your config, perhaps that is causing the lines
to be ignored ?
Otherwise, show us the logs from the rekey event? It should tell us why.
Sent from my iPhone
On May 14, 2021, at 03:46, Ivan Kuznetsov <k...@solvo.ru> wrote:
Hello
We use libreswan 3.32 under Linux and have a IPsec peer recently upgraded their
Cisco ASA. Tunnel was migrated to IKEv2. All works fine except the libreswan
side restarts ISAKMP too often, mostly after 1h. ESP is restarted too. Settings
for lifetime are 24h for phase 1 and 8h for phase 2 on both sides. rekeymargin
has default value (300s)
Why libreswan drops ISAKMP SA regardless of explicit settings?
Libreswan configuration:
conn bkp
type=tunnel
auto=start
authby=secret
left=11.22.33.44
leftsubnet=172.16.80.0/20
right=55.66.77.88
rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29
ikev2=yes
ikelifetime=24h
initial-contact=yes
phase2=esp
salifetime=8h
# BKP's Cisco ASA has stranges regarding DH groups on phase2
# pfs=no
rekey=yes
rekeymargin=5m
keyingtries=3
fragmentation=yes
# BKP's Cisco ASA has nonstadard DPD
# dpddelay=30
# dpdtimeout=120
# dpdaction=restart
Libreswan log is attached
--
Regards, Ivan Kuznetsov
SOLVO ltd
<bkp.log>
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
--
Regards, Ivan Kuznetsov
SOLVO ltd
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
