Re: iked keeps reconnecting every 8 minutes

Wed, 10 Jun 2020 04:29:03 -0700 

On Tue, Jun 09, 2020 at 08:13:53PM +0000, Leclerc, Sebastien wrote:
> > > > Before 6.7 iked didn't start DPD in this particular case.
> > > > It kicks in if the tunnel is up and there haven't been any incoming ESP 
> > > > packets
> > > > in the last 5 minutes.
> > > > A possible workaround would be to ping through the tunnel to have at 
> > > > least one
> > > > incoming packet every 5 minutes.
> > >
> > > There is definitely ESP packets continuously, as there are 3-8 RDP 
> > > sessions
> > > in this tunnel during workhours. That's why it's a problem, people get 
> > > their
> > > RDP session disconnected every 8 minutes.
> > >
> > 
> > If true that would certainly be a bug.
> > Could you try running iked with -dvv and look for ikev2_ike_sa_alive 
> > messages?
> > It should look like this:
> > 
> > ikev2_ike_sa_alive: incoming CHILD SA spi 0x88888888 last used 0 second(s) 
> > ago
> 
> spi=0x09ce404cdca4ee1d: ikev2_childsa_enable: loaded SPIs: 0x4cd06b6d, 
> 0x0e7dbe7d
> spi=0x09ce404cdca4ee1d: ikev2_childsa_enable: loaded flows: 
> ESP-192.168.1.0/24=192.168.100.0/24(0), 
> ESP-192.168.1.0/24=192.168.150.0/24(0), ESP-192.0.2.2/32=192.0.2.199/32(0)
> spi=0x09ce404cdca4ee1d: sa_state: VALID -> ESTABLISHED from 192.0.2.199:500 
> to 192.0.2.2:500 policy 'POLICYNAME'
> spi=0x09ce404cdca4ee1d: established peer 192.0.2.199:500[IPV4/192.0.2.199] 
> local 192.0.2.2:500[IPV4/192.0.2.2] policy 'POLICYNAME' as initiator
> ...
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x0e7dbe7d last used 1 second(s) ago
> 
> I don't see the ikev2_ike_sa_alive message for the other SPI (0x4cd06b6d), is 
> it normal?

This is normal.

> And then it doesn't reply back :
> 
> ikev2_ike_sa_alive: IKE SA 0xed2d646c000 ispi 0x09ce404cdca4ee1d rspi 
> 0x714a5bb2f7ccc4d4 last received 300 second(s) ago
> ikev2_ike_sa_alive: sending alive check
> ikev2_msg_encrypt: decrypted length 4
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 5, padding 11, output length 44
> ikev2_next_payload: length 48 nextpayload NONE
> ikev2_msg_integr: message length 76
> ikev2_msg_integr: integrity checksum length 12
> ikev2_pld_parse: header ispi 0x09ce404cdca4ee1d rspi 0x714a5bb2f7ccc4d4 
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 2 length 
> 76 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 48
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 12
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
> spi=0x09ce404cdca4ee1d: send INFORMATIONAL req 2 peer 192.0.2.199:500 local 
> 192.0.2.2:500, 76 bytes
> ...
> spi=0x09ce404cdca4ee1d: retransmit 1 INFORMATIONAL req 2 peer 192.0.2.199:500 
> local 192.0.2.2:500
> ...
> spi=0x09ce404cdca4ee1d: retransmit 2 INFORMATIONAL req 2 peer 192.0.2.199:500 
> local 192.0.2.2:500
> spi=0x09ce404cdca4ee1d: retransmit 3 INFORMATIONAL req 2 peer 192.0.2.199:500 
> local 192.0.2.2:500
> spi=0x09ce404cdca4ee1d: retransmit 4 INFORMATIONAL req 2 peer 192.0.2.199:500 
> local 192.0.2.2:500
> ...
> ikev2_ike_sa_alive: IKE SA 0xed2d646c000 ispi 0x09ce404cdca4ee1d rspi 
> 0x714a5bb2f7ccc4d4 last received 360 second(s) ago
> ...
> spi=0x09ce404cdca4ee1d: retransmit 5 INFORMATIONAL req 2 peer 192.0.2.199:500 
> local 192.0.2.2:500
> ...
> ikev2_ike_sa_alive: IKE SA 0xed2d646c000 ispi 0x09ce404cdca4ee1d rspi 
> 0x714a5bb2f7ccc4d4 last received 420 second(s) ago
> ...
> ikev2_msg_retransmit_timeout: retransmit limit reached for req 2
> spi=0x09ce404cdca4ee1d: sa_free: retransmit limit reached
> config_free_proposals: free 0xed2a4156f80
> config_free_proposals: free 0xed2a4156180
> config_free_childsas: free 0xed2c6179700
> config_free_childsas: free 0xed275c07400
> config_free_childsas: free 0xed33fcbba00
> config_free_childsas: free 0xed2c6177200
> sa_free_flows: free 0xed247848800
> sa_free_flows: free 0xed2b3308800
> sa_free_flows: free 0xed2e78cfc00
> sa_free_flows: free 0xed247849800
> sa_free_flows: free 0xed2e78cf000
> sa_free_flows: free 0xed247848c00
> 
> 
> > "ipsecctl -sa -v" shows you SA packet counters, if you find one that has
> > 0 input packets that's probably the cause.
> 
> All SAs have packet counters > 0, see those for this tunnel :
> 
> esp tunnel from 192.0.2.2 to 192.0.2.199 spi 0x4cd06b6a auth hmac-sha1 enc aes
>         sa: spi 0x4cd06b6a auth hmac-sha1 enc aes
>                 state mature replay 64 flags 0x4<tunnel>
>         lifetime_cur: alloc 0 bytes 501965 add 1591730080 first 1591730081
>         lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
>         lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
>         address_src: 192.0.2.2
>         address_dst: 192.0.2.199
>         identity_src: type prefix id 0: IPV4/192.0.2.2
>         identity_dst: type prefix id 0: IPV4/192.0.2.199
>         lifetime_lastuse: alloc 0 bytes 0 add 0 first 1591730260
>         counter:
>                 1557 output packets
>                 601368 output bytes
>                 533105 output bytes, uncompressed
> 
> esp tunnel from 192.0.2.199 to 192.0.2.2 spi 0xa2f3ce44 auth hmac-sha1 enc aes
>         sa: spi 0xa2f3ce44 auth hmac-sha1 enc aes
>                 state mature replay 64 flags 0x4<tunnel>
>         lifetime_cur: alloc 0 bytes 308016 add 1591730080 first 1591730081
>         lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
>         lifetime_soft: alloc 0 bytes 461708984 add 9288 first 0
>         address_src: 192.0.2.199
>         address_dst: 192.0.2.2
>         identity_src: type prefix id 0: IPV4/192.0.2.199
>         identity_dst: type prefix id 0: IPV4/192.0.2.2
>         lifetime_lastuse: alloc 0 bytes 0 add 0 first 1591730260
>         counter:
>                 1555 input packets
>                 703112 input bytes
>                 323408 input bytes, decompressed
> 

I seems I got it wrong before.  Even when there was ESP traffic, iked is going
to start DPD when there hasn't been any incoming IKE message in the last
5 minutes.

My advice would be to just disable DPD in iked for this specific case.
To do this you will have to patch it and build it from the sources.
Below is a diff that should do the trick.

Index: ikev2.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.231
diff -u -p -r1.231 ikev2.c
--- ikev2.c     9 Jun 2020 21:53:26 -0000       1.231
+++ ikev2.c     10 Jun 2020 11:02:39 -0000
@@ -4391,7 +4391,7 @@ ikev2_ike_sa_alive(struct iked *env, voi
         * SA, or if we haven't received an IKE message. but only if we
         * are not already waiting for an answer.
         */
-       if (((!foundin && foundout) || ikeidle) &&
+       if ((!foundin && foundout) &&
            (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) == 0) {
                log_debug("%s: sending alive check", __func__);
                ikev2_send_ike_e(env, sa, NULL, IKEV2_PAYLOAD_NONE,

Reply via email to