Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
I did indeed change the value from no to yes with delete_rekeyed in
charon.conf. I also tried setting it in the strongswan.conf itself, neither
has any effect on the the spawned rekeys.
I got the config and the debug logs from the customer (he is using a cisco
router). I don't see anything in his config that stands out that would cause
this, and while we see the event in his logs just like with ours, there is no
indication as to why it is happening. He has dozens of other tunnels to other
locations on this device and they don't appear to occur with them.
Thank you for all of the feedback.
Doug Tucker
Sr. Network Administrator
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@newscycle.com
[Newscycle Solutions]<http://www.newscycle.com/>
Breakthrough technologies for media
Twitter<http://www.twitter.com/newscycle_news> |
Facebook<https://www.facebook.com/NEWSCYCLESolutions> |
Linkedin<https://www.linkedin.com/company/newscycle-solutions>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
From: Noel Kuntze
Sent: Tuesday, July 24, 2018 9:38:55 AM
To: Doug Tucker; users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
You really need to get logs from the other side.
Evidently, as shown by the logs you provided, _the other side_ is requesting
those tunnels.
And it is likely that you did not set the value correctly.
In (/etc/strongswan.d/)charon.conf, the value should be set. Check if that is
the case.
On 24.07.2018 17:25, Doug Tucker wrote:
> Setting that value had a negative effect. Not only is it not deleting the
> old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now
> it creates 2 installed tunnels:
>
>
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i
> 968001a4_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{8}: x.x.x.x/16 === x.x.x.x/28
> sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i
> 7d27b8fb_o
> sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{9}: x.x.x.x/16 === x.x.x.x/28
>
>
>
> *Doug Tucker*
>
> Sr. Network Administrator
>
> *o: *817.975.5832* | *m: 817.975.5832
>
> *e:* doug.tuc...@newscycle.com
>
> * *
>
> Newscycle Solutions <http://www.newscycle.com/>
>
> *Breakthrough technologies for media*
>
> * *
>
> *Twitter <http://www.twitter.com/newscycle_news>** | Facebook
> <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin
> <https://www.linkedin.com/company/newscycle-solutions>***
>
> * *
>
> CONFIDENTIALITY NOTICE: The contents of this email message and any
> attachments are intended solely for the addressee(s) and may contain
> confidential and/or privileged information and may be legally protected from
> disclosure. If you are not the intended recipient of this message or their
> agent, or if this message has been addressed to you in error, please
> immediately alert the sender by reply email and then delete this message and
> any attachments. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, copying, or storage of this message or
> its attachments is strictly prohibited.
>
>
> -
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
You really need to get logs from the other side.
Evidently, as shown by the logs you provided, _the other side_ is requesting
those tunnels.
And it is likely that you did not set the value correctly.
In (/etc/strongswan.d/)charon.conf, the value should be set. Check if that is
the case.
On 24.07.2018 17:25, Doug Tucker wrote:
> Setting that value had a negative effect. Not only is it not deleting the
> old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now
> it creates 2 installed tunnels:
>
>
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i
> 968001a4_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{8}: x.x.x.x/16 === x.x.x.x/28
> sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i
> 7d27b8fb_o
> sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{9}: x.x.x.x/16 === x.x.x.x/28
>
>
>
> *Doug Tucker*
>
> Sr. Network Administrator
>
> *o: *817.975.5832* | *m: 817.975.5832
>
> *e:* doug.tuc...@newscycle.com
>
> * *
>
> Newscycle Solutions <http://www.newscycle.com/>
>
> *Breakthrough technologies for media*
>
> * *
>
> *Twitter <http://www.twitter.com/newscycle_news>** | Facebook
> <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin
> <https://www.linkedin.com/company/newscycle-solutions>***
>
> * *
>
> CONFIDENTIALITY NOTICE: The contents of this email message and any
> attachments are intended solely for the addressee(s) and may contain
> confidential and/or privileged information and may be legally protected from
> disclosure. If you are not the intended recipient of this message or their
> agent, or if this message has been addressed to you in error, please
> immediately alert the sender by reply email and then delete this message and
> any attachments. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, copying, or storage of this message or
> its attachments is strictly prohibited.
>
>
> ------------------
> *From:* Noel Kuntze
> *Sent:* Tuesday, July 24, 2018 4:02:13 AM
> *To:* Doug Tucker; users@lists.strongswan.org
> *Subject:* Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
>
> Hi,
>
> You can use charon.delete_rekeyed = yes. But the better solution is to check
> the logs of the CISCO side to understand why it is doing that.
>
> Kind regards
>
> Noel
>
> On 24.07.2018 05:29, Doug Tucker wrote:
>>
>> Have an issue I've never seen before. Connecting to a remote Cisco router.
>> Have verified settings on the cisco, our rekey options look the same. We
>> get an established connection, then 30 seconds later a rekey happens and it
>> installs under the new one. This goes on forever. Here are the logs
>> showing the original and 1 rekey. If allowed to continue the number of SA
>> increments as such:
>>
>>
>> Connections:
>> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
>> sph-main: local: [x.x.x.x] uses pre-shared key authentication
>> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
>> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
>> Routed Connections:
>> sph-main{1}: ROUTED, TUNNEL, reqid 1
>> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
>> Security Associations (1 up, 0 connecting):
>> sph-main[1]: ESTABLISHED 3 minutes ago,
>> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
>> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
>> pre-shared key reauthentication in 7 hours
>> sph-main[1
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Setting that value had a negative effect. Not only is it not deleting the old
rekeys (they continue to accumulate at 1 every 30 seconds or so), but now it
creates 2 installed tunnels:
sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i
968001a4_o
sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
rekeying in 7 hours
sph-main{8}: x.x.x.x/16 === x.x.x.x/28
sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i
7d27b8fb_o
sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
rekeying in 7 hours
sph-main{9}: x.x.x.x/16 === x.x.x.x/28
Doug Tucker
Sr. Network Administrator
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@newscycle.com
[Newscycle Solutions]<http://www.newscycle.com/>
Breakthrough technologies for media
Twitter<http://www.twitter.com/newscycle_news> |
Facebook<https://www.facebook.com/NEWSCYCLESolutions> |
Linkedin<https://www.linkedin.com/company/newscycle-solutions>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
From: Noel Kuntze
Sent: Tuesday, July 24, 2018 4:02:13 AM
To: Doug Tucker; users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Hi,
You can use charon.delete_rekeyed = yes. But the better solution is to check
the logs of the CISCO side to understand why it is doing that.
Kind regards
Noel
On 24.07.2018 05:29, Doug Tucker wrote:
>
> Have an issue I've never seen before. Connecting to a remote Cisco router.
> Have verified settings on the cisco, our rekey options look the same. We get
> an established connection, then 30 seconds later a rekey happens and it
> installs under the new one. This goes on forever. Here are the logs
> showing the original and 1 rekey. If allowed to continue the number of SA
> increments as such:
>
>
> Connections:
> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
> sph-main: local: [x.x.x.x] uses pre-shared key authentication
> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
> Routed Connections:
> sph-main{1}: ROUTED, TUNNEL, reqid 1
> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
> Security Associations (1 up, 0 connecting):
> sph-main[1]: ESTABLISHED 3 minutes ago,
> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
> pre-shared key reauthentication in 7 hours
> sph-main[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{2}: x.x.0.0/16 === x.x.x.x/28
> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{3}: x.x.0.0/16 === x.x.x.x/28
> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{4}: x.x.0.0/16 === x.x.x.x/28
> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{5}: x.x.0.0/16 === x.x.x.x/28
> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{6}: x.x.0.0/16 === x.x.x.x/28
> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{7}: x.x.0.0/16 === x.x.x.x/28
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
> d0a8e566_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{8}: x.x.0.0/16 === x.x.x.x/28
>
> Here are my logs:
>
>
> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
> /user.slice/user-x0.slice
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500]
> to x.x.x.x[500] (34x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V
> V V NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
I have auto = ignore, closeaction = clear, and have not defined anything for
uniqueids.
Doug Tucker
Sr. Network Administrator
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@newscycle.com
[Newscycle Solutions]<http://www.newscycle.com/>
Breakthrough technologies for media
Twitter<http://www.twitter.com/newscycle_news> |
Facebook<https://www.facebook.com/NEWSCYCLESolutions> |
Linkedin<https://www.linkedin.com/company/newscycle-solutions>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
From: Jafar Al-Gharaibeh
Sent: Tuesday, July 24, 2018 9:03:07 AM
To: Doug Tucker; users@lists.strongswan.org
Cc: Noel Kuntze
Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Doug,
Check your configuration, if you have:
uniqueids=yes
auto=start
closeaction=restart
Then that is the cause of the issue. That is a bad combination that gets
you in an infinite rekey loop.
--Jafar
On 7/24/2018 5:02 AM, Noel Kuntze wrote:
> Hi,
>
> You can use charon.delete_rekeyed = yes. But the better solution is to check
> the logs of the CISCO side to understand why it is doing that.
>
> Kind regards
>
> Noel
>
> On 24.07.2018 05:29, Doug Tucker wrote:
>> Have an issue I've never seen before. Connecting to a remote Cisco router.
>> Have verified settings on the cisco, our rekey options look the same. We
>> get an established connection, then 30 seconds later a rekey happens and it
>> installs under the new one. This goes on forever. Here are the logs
>> showing the original and 1 rekey. If allowed to continue the number of SA
>> increments as such:
>>
>>
>> Connections:
>> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
>> sph-main: local: [x.x.x.x] uses pre-shared key authentication
>> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
>> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
>> Routed Connections:
>> sph-main{1}: ROUTED, TUNNEL, reqid 1
>> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
>> Security Associations (1 up, 0 connecting):
>> sph-main[1]: ESTABLISHED 3 minutes ago,
>> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
>> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
>> pre-shared key reauthentication in 7 hours
>> sph-main[1]: IKE proposal:
>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{2}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{3}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{4}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{5}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{6}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{7}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
>> d0a8e566_o
>> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
>> rekeying in 7 hours
>> sph-main{8}: x.x.0.0/16 === x.x.x.x/28
>>
>> Here are my logs:
>>
>>
>> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
>> /user.slice/user-x0.slice
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from
>> x.x.x.x[500] to x.x.x.x[500] (34x bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No
>> V V V NAT-D NAT-D ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
>> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Doug,
Check your configuration, if you have:
uniqueids=yes
auto=start
closeaction=restart
Then that is the cause of the issue. That is a bad combination that gets
you in an infinite rekey loop.
--Jafar
On 7/24/2018 5:02 AM, Noel Kuntze wrote:
Hi,
You can use charon.delete_rekeyed = yes. But the better solution is to check
the logs of the CISCO side to understand why it is doing that.
Kind regards
Noel
On 24.07.2018 05:29, Doug Tucker wrote:
Have an issue I've never seen before. Connecting to a remote Cisco router.
Have verified settings on the cisco, our rekey options look the same. We get
an established connection, then 30 seconds later a rekey happens and it
installs under the new one. This goes on forever. Here are the logs showing
the original and 1 rekey. If allowed to continue the number of SA increments
as such:
Connections:
sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
sph-main: local: [x.x.x.x] uses pre-shared key authentication
sph-main: remote: [x.x.x.x] uses pre-shared key authentication
sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
Routed Connections:
sph-main{1}: ROUTED, TUNNEL, reqid 1
sph-main{1}: x.x.0.0/16 === x.x.x.x/28
Security Associations (1 up, 0 connecting):
sph-main[1]: ESTABLISHED 3 minutes ago, x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
pre-shared key reauthentication in 7 hours
sph-main[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{2}: x.x.0.0/16 === x.x.x.x/28
sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{3}: x.x.0.0/16 === x.x.x.x/28
sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{4}: x.x.0.0/16 === x.x.x.x/28
sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{5}: x.x.0.0/16 === x.x.x.x/28
sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{6}: x.x.0.0/16 === x.x.x.x/28
sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{7}: x.x.0.0/16 === x.x.x.x/28
sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
d0a8e566_o
sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
rekeying in 7 hours
sph-main{8}: x.x.0.0/16 === x.x.x.x/28
Here are my logs:
Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
/user.slice/user-x0.slice
Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500]
to x.x.x.x[500] (34x bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
keep alives
Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE
No NAT-D NAT-D ]
Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] to
x.x.x.x[500] (30x bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (10x bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer
configs matching x.x.x.x...x.x.x.x[x.x.x.x]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main"
Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established
between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in 2x02xs
Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs
Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID
HASH ]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500]
to x.x.x.x[4500] (76 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (3x0 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request 225x9x7323
[ HASH SA No KE ID ID ]
Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x00 lifebytes,
configured 0
Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response
225x9x7323 [ HASH SA No KE ID ID ]
Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500]
to x.x.x.x[4500] (396 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (60 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request 225x9x7323
[ HASH ]
Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2}
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Hi,
You can use charon.delete_rekeyed = yes. But the better solution is to check
the logs of the CISCO side to understand why it is doing that.
Kind regards
Noel
On 24.07.2018 05:29, Doug Tucker wrote:
>
> Have an issue I've never seen before. Connecting to a remote Cisco router.
> Have verified settings on the cisco, our rekey options look the same. We get
> an established connection, then 30 seconds later a rekey happens and it
> installs under the new one. This goes on forever. Here are the logs
> showing the original and 1 rekey. If allowed to continue the number of SA
> increments as such:
>
>
> Connections:
> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
> sph-main: local: [x.x.x.x] uses pre-shared key authentication
> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
> Routed Connections:
> sph-main{1}: ROUTED, TUNNEL, reqid 1
> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
> Security Associations (1 up, 0 connecting):
> sph-main[1]: ESTABLISHED 3 minutes ago,
> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
> pre-shared key reauthentication in 7 hours
> sph-main[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{2}: x.x.0.0/16 === x.x.x.x/28
> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{3}: x.x.0.0/16 === x.x.x.x/28
> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{4}: x.x.0.0/16 === x.x.x.x/28
> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{5}: x.x.0.0/16 === x.x.x.x/28
> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{6}: x.x.0.0/16 === x.x.x.x/28
> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
> sph-main{7}: x.x.0.0/16 === x.x.x.x/28
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
> d0a8e566_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{8}: x.x.0.0/16 === x.x.x.x/28
>
> Here are my logs:
>
>
> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
> /user.slice/user-x0.slice
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500]
> to x.x.x.x[500] (34x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V
> V V NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
> keep alives
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE
> No NAT-D NAT-D ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500]
> to x.x.x.x[500] (30x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from
> x.x.x.x[4500] to x.x.x.x[4500] (10x bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH
> N(INITIAL_CONTACT) ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer
> configs matching x.x.x.x...x.x.x.x[x.x.x.x]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main"
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established
> between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in
> 2x02xs
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID
> HASH ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500]
> to x.x.x.x[4500] (76 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from
> x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request
> 225x9x7323 [ HASH SA No KE ID ID ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x00 lifebytes,
> configured 0
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response
> 225x9x7323 [ HASH SA No KE ID ID ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500]
> to x.x.x.x[4500] (396 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from
> x.x.x.x[4500] to x.x.x.x[4500] (60 bytes)
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request
> 225x9x7323 [ HASH ]
> Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established
> with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x
>
>
> Jul 24 03:17:46
[strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Have an issue I've never seen before. Connecting to a remote Cisco router.
Have verified settings on the cisco, our rekey options look the same. We get
an established connection, then 30 seconds later a rekey happens and it
installs under the new one. This goes on forever. Here are the logs showing
the original and 1 rekey. If allowed to continue the number of SA increments
as such:
Connections:
sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
sph-main: local: [x.x.x.x] uses pre-shared key authentication
sph-main: remote: [x.x.x.x] uses pre-shared key authentication
sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
Routed Connections:
sph-main{1}: ROUTED, TUNNEL, reqid 1
sph-main{1}: x.x.0.0/16 === x.x.x.x/28
Security Associations (1 up, 0 connecting):
sph-main[1]: ESTABLISHED 3 minutes ago, x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, pre-shared
key reauthentication in 7 hours
sph-main[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{2}: x.x.0.0/16 === x.x.x.x/28
sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{3}: x.x.0.0/16 === x.x.x.x/28
sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{4}: x.x.0.0/16 === x.x.x.x/28
sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{5}: x.x.0.0/16 === x.x.x.x/28
sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{6}: x.x.0.0/16 === x.x.x.x/28
sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
sph-main{7}: x.x.0.0/16 === x.x.x.x/28
sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
d0a8e566_o
sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
rekeying in 7 hours
sph-main{8}: x.x.0.0/16 === x.x.x.x/28
Here are my logs:
Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
/user.slice/user-x0.slice
Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500]
to x.x.x.x[500] (34x bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
keep alives
Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE
No NAT-D NAT-D ]
Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] to
x.x.x.x[500] (30x bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (10x bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer
configs matching x.x.x.x...x.x.x.x[x.x.x.x]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main"
Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established
between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in 2x02xs
Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs
Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID
HASH ]
Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500]
to x.x.x.x[4500] (76 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (3x0 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request 225x9x7323
[ HASH SA No KE ID ID ]
Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x00 lifebytes,
configured 0
Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response
225x9x7323 [ HASH SA No KE ID ID ]
Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500]
to x.x.x.x[4500] (396 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (60 bytes)
Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request 225x9x7323
[ HASH ]
Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established
with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x
Jul 24 03:17:46 ip-x-x-x-x charon: 05[IKE] sending DPD request
Jul 24 03:17:46 ip-x-x-x-x charon: 05[ENC] generating INFORMATIONAL_V1 request
43665939 [ HASH N(DPD) ]
Jul 24 03:17:46 ip-x-x-x-x charon: 05[NET] sending packet: from x.x.x.x[4500]
to x.x.x.x[4500] (92 bytes)
Jul 24 03:17:46 ip-x-x-x-x charon: 07[NET] received packet: from x.x.x.x[4500]
to x.x.x.x[4500] (92 bytes)
Jul 24 03:17:46 ip-x-x-x-x charon:
