Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
I did indeed change the value from no to yes with delete_rekeyed in charon.conf. I also tried setting it in the strongswan.conf itself, neither has any effect on the the spawned rekeys. I got the config and the debug logs from the customer (he is using a cisco router). I don't see anything in his config that stands out that would cause this, and while we see the event in his logs just like with ours, there is no indication as to why it is happening. He has dozens of other tunnels to other locations on this device and they don't appear to occur with them. Thank you for all of the feedback. Doug Tucker Sr. Network Administrator o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@newscycle.com [Newscycle Solutions]<http://www.newscycle.com/> Breakthrough technologies for media Twitter<http://www.twitter.com/newscycle_news> | Facebook<https://www.facebook.com/NEWSCYCLESolutions> | Linkedin<https://www.linkedin.com/company/newscycle-solutions> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. From: Noel Kuntze Sent: Tuesday, July 24, 2018 9:38:55 AM To: Doug Tucker; users@lists.strongswan.org Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds You really need to get logs from the other side. Evidently, as shown by the logs you provided, _the other side_ is requesting those tunnels. And it is likely that you did not set the value correctly. In (/etc/strongswan.d/)charon.conf, the value should be set. Check if that is the case. On 24.07.2018 17:25, Doug Tucker wrote: > Setting that value had a negative effect. Not only is it not deleting the > old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now > it creates 2 installed tunnels: > > > sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i > 968001a4_o > sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{8}: x.x.x.x/16 === x.x.x.x/28 > sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i > 7d27b8fb_o > sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{9}: x.x.x.x/16 === x.x.x.x/28 > > > > *Doug Tucker* > > Sr. Network Administrator > > *o: *817.975.5832* | *m: 817.975.5832 > > *e:* doug.tuc...@newscycle.com > > * * > > Newscycle Solutions <http://www.newscycle.com/> > > *Breakthrough technologies for media* > > * * > > *Twitter <http://www.twitter.com/newscycle_news>** | Facebook > <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin > <https://www.linkedin.com/company/newscycle-solutions>*** > > * * > > CONFIDENTIALITY NOTICE: The contents of this email message and any > attachments are intended solely for the addressee(s) and may contain > confidential and/or privileged information and may be legally protected from > disclosure. If you are not the intended recipient of this message or their > agent, or if this message has been addressed to you in error, please > immediately alert the sender by reply email and then delete this message and > any attachments. If you are not the intended recipient, you are hereby > notified that any use, dissemination, copying, or storage of this message or > its attachments is strictly prohibited. > > > -
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
You really need to get logs from the other side. Evidently, as shown by the logs you provided, _the other side_ is requesting those tunnels. And it is likely that you did not set the value correctly. In (/etc/strongswan.d/)charon.conf, the value should be set. Check if that is the case. On 24.07.2018 17:25, Doug Tucker wrote: > Setting that value had a negative effect. Not only is it not deleting the > old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now > it creates 2 installed tunnels: > > > sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i > 968001a4_o > sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{8}: x.x.x.x/16 === x.x.x.x/28 > sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i > 7d27b8fb_o > sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{9}: x.x.x.x/16 === x.x.x.x/28 > > > > *Doug Tucker* > > Sr. Network Administrator > > *o: *817.975.5832* | *m: 817.975.5832 > > *e:* doug.tuc...@newscycle.com > > * * > > Newscycle Solutions <http://www.newscycle.com/> > > *Breakthrough technologies for media* > > * * > > *Twitter <http://www.twitter.com/newscycle_news>** | Facebook > <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin > <https://www.linkedin.com/company/newscycle-solutions>*** > > * * > > CONFIDENTIALITY NOTICE: The contents of this email message and any > attachments are intended solely for the addressee(s) and may contain > confidential and/or privileged information and may be legally protected from > disclosure. If you are not the intended recipient of this message or their > agent, or if this message has been addressed to you in error, please > immediately alert the sender by reply email and then delete this message and > any attachments. If you are not the intended recipient, you are hereby > notified that any use, dissemination, copying, or storage of this message or > its attachments is strictly prohibited. > > > ------------------ > *From:* Noel Kuntze > *Sent:* Tuesday, July 24, 2018 4:02:13 AM > *To:* Doug Tucker; users@lists.strongswan.org > *Subject:* Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds > > Hi, > > You can use charon.delete_rekeyed = yes. But the better solution is to check > the logs of the CISCO side to understand why it is doing that. > > Kind regards > > Noel > > On 24.07.2018 05:29, Doug Tucker wrote: >> >> Have an issue I've never seen before. Connecting to a remote Cisco router. >> Have verified settings on the cisco, our rekey options look the same. We >> get an established connection, then 30 seconds later a rekey happens and it >> installs under the new one. This goes on forever. Here are the logs >> showing the original and 1 rekey. If allowed to continue the number of SA >> increments as such: >> >> >> Connections: >> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s >> sph-main: local: [x.x.x.x] uses pre-shared key authentication >> sph-main: remote: [x.x.x.x] uses pre-shared key authentication >> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear >> Routed Connections: >> sph-main{1}: ROUTED, TUNNEL, reqid 1 >> sph-main{1}: x.x.0.0/16 === x.x.x.x/28 >> Security Associations (1 up, 0 connecting): >> sph-main[1]: ESTABLISHED 3 minutes ago, >> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] >> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, >> pre-shared key reauthentication in 7 hours >> sph-main[1
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Setting that value had a negative effect. Not only is it not deleting the old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now it creates 2 installed tunnels: sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i 968001a4_o sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 7 hours sph-main{8}: x.x.x.x/16 === x.x.x.x/28 sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i 7d27b8fb_o sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 7 hours sph-main{9}: x.x.x.x/16 === x.x.x.x/28 Doug Tucker Sr. Network Administrator o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@newscycle.com [Newscycle Solutions]<http://www.newscycle.com/> Breakthrough technologies for media Twitter<http://www.twitter.com/newscycle_news> | Facebook<https://www.facebook.com/NEWSCYCLESolutions> | Linkedin<https://www.linkedin.com/company/newscycle-solutions> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. From: Noel Kuntze Sent: Tuesday, July 24, 2018 4:02:13 AM To: Doug Tucker; users@lists.strongswan.org Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds Hi, You can use charon.delete_rekeyed = yes. But the better solution is to check the logs of the CISCO side to understand why it is doing that. Kind regards Noel On 24.07.2018 05:29, Doug Tucker wrote: > > Have an issue I've never seen before. Connecting to a remote Cisco router. > Have verified settings on the cisco, our rekey options look the same. We get > an established connection, then 30 seconds later a rekey happens and it > installs under the new one. This goes on forever. Here are the logs > showing the original and 1 rekey. If allowed to continue the number of SA > increments as such: > > > Connections: > sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s > sph-main: local: [x.x.x.x] uses pre-shared key authentication > sph-main: remote: [x.x.x.x] uses pre-shared key authentication > sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear > Routed Connections: > sph-main{1}: ROUTED, TUNNEL, reqid 1 > sph-main{1}: x.x.0.0/16 === x.x.x.x/28 > Security Associations (1 up, 0 connecting): > sph-main[1]: ESTABLISHED 3 minutes ago, > x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] > sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, > pre-shared key reauthentication in 7 hours > sph-main[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 > sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{2}: x.x.0.0/16 === x.x.x.x/28 > sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{3}: x.x.0.0/16 === x.x.x.x/28 > sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{4}: x.x.0.0/16 === x.x.x.x/28 > sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{5}: x.x.0.0/16 === x.x.x.x/28 > sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{6}: x.x.0.0/16 === x.x.x.x/28 > sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{7}: x.x.0.0/16 === x.x.x.x/28 > sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i > d0a8e566_o > sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{8}: x.x.0.0/16 === x.x.x.x/28 > > Here are my logs: > > > Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from > /user.slice/user-x0.slice > Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500] > to x.x.x.x[500] (34x bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V > V V NAT-D NAT-D ] > Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID > Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: > 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f > Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID > Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
I have auto = ignore, closeaction = clear, and have not defined anything for uniqueids. Doug Tucker Sr. Network Administrator o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@newscycle.com [Newscycle Solutions]<http://www.newscycle.com/> Breakthrough technologies for media Twitter<http://www.twitter.com/newscycle_news> | Facebook<https://www.facebook.com/NEWSCYCLESolutions> | Linkedin<https://www.linkedin.com/company/newscycle-solutions> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. From: Jafar Al-Gharaibeh Sent: Tuesday, July 24, 2018 9:03:07 AM To: Doug Tucker; users@lists.strongswan.org Cc: Noel Kuntze Subject: Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds Doug, Check your configuration, if you have: uniqueids=yes auto=start closeaction=restart Then that is the cause of the issue. That is a bad combination that gets you in an infinite rekey loop. --Jafar On 7/24/2018 5:02 AM, Noel Kuntze wrote: > Hi, > > You can use charon.delete_rekeyed = yes. But the better solution is to check > the logs of the CISCO side to understand why it is doing that. > > Kind regards > > Noel > > On 24.07.2018 05:29, Doug Tucker wrote: >> Have an issue I've never seen before. Connecting to a remote Cisco router. >> Have verified settings on the cisco, our rekey options look the same. We >> get an established connection, then 30 seconds later a rekey happens and it >> installs under the new one. This goes on forever. Here are the logs >> showing the original and 1 rekey. If allowed to continue the number of SA >> increments as such: >> >> >> Connections: >> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s >> sph-main: local: [x.x.x.x] uses pre-shared key authentication >> sph-main: remote: [x.x.x.x] uses pre-shared key authentication >> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear >> Routed Connections: >> sph-main{1}: ROUTED, TUNNEL, reqid 1 >> sph-main{1}: x.x.0.0/16 === x.x.x.x/28 >> Security Associations (1 up, 0 connecting): >> sph-main[1]: ESTABLISHED 3 minutes ago, >> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] >> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, >> pre-shared key reauthentication in 7 hours >> sph-main[1]: IKE proposal: >> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{2}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{3}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{4}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{5}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{6}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{7}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i >> d0a8e566_o >> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, >> rekeying in 7 hours >> sph-main{8}: x.x.0.0/16 === x.x.x.x/28 >> >> Here are my logs: >> >> >> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from >> /user.slice/user-x0.slice >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from >> x.x.x.x[500] to x.x.x.x[500] (34x bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No >> V V V NAT-D NAT-D ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: >> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Doug, Check your configuration, if you have: uniqueids=yes auto=start closeaction=restart Then that is the cause of the issue. That is a bad combination that gets you in an infinite rekey loop. --Jafar On 7/24/2018 5:02 AM, Noel Kuntze wrote: Hi, You can use charon.delete_rekeyed = yes. But the better solution is to check the logs of the CISCO side to understand why it is doing that. Kind regards Noel On 24.07.2018 05:29, Doug Tucker wrote: Have an issue I've never seen before. Connecting to a remote Cisco router. Have verified settings on the cisco, our rekey options look the same. We get an established connection, then 30 seconds later a rekey happens and it installs under the new one. This goes on forever. Here are the logs showing the original and 1 rekey. If allowed to continue the number of SA increments as such: Connections: sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s sph-main: local: [x.x.x.x] uses pre-shared key authentication sph-main: remote: [x.x.x.x] uses pre-shared key authentication sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear Routed Connections: sph-main{1}: ROUTED, TUNNEL, reqid 1 sph-main{1}: x.x.0.0/16 === x.x.x.x/28 Security Associations (1 up, 0 connecting): sph-main[1]: ESTABLISHED 3 minutes ago, x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, pre-shared key reauthentication in 7 hours sph-main[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{2}: x.x.0.0/16 === x.x.x.x/28 sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{3}: x.x.0.0/16 === x.x.x.x/28 sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{4}: x.x.0.0/16 === x.x.x.x/28 sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{5}: x.x.0.0/16 === x.x.x.x/28 sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{6}: x.x.0.0/16 === x.x.x.x/28 sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{7}: x.x.0.0/16 === x.x.x.x/28 sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i d0a8e566_o sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 7 hours sph-main{8}: x.x.0.0/16 === x.x.x.x/28 Here are my logs: Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from /user.slice/user-x0.slice Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (34x bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ] Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending keep alives Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (30x bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (10x bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer configs matching x.x.x.x...x.x.x.x[x.x.x.x] Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main" Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x] Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in 2x02xs Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ] Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH SA No KE ID ID ] Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x00 lifebytes, configured 0 Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response 225x9x7323 [ HASH SA No KE ID ID ] Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (396 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (60 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH ] Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2}
Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Hi, You can use charon.delete_rekeyed = yes. But the better solution is to check the logs of the CISCO side to understand why it is doing that. Kind regards Noel On 24.07.2018 05:29, Doug Tucker wrote: > > Have an issue I've never seen before. Connecting to a remote Cisco router. > Have verified settings on the cisco, our rekey options look the same. We get > an established connection, then 30 seconds later a rekey happens and it > installs under the new one. This goes on forever. Here are the logs > showing the original and 1 rekey. If allowed to continue the number of SA > increments as such: > > > Connections: > sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s > sph-main: local: [x.x.x.x] uses pre-shared key authentication > sph-main: remote: [x.x.x.x] uses pre-shared key authentication > sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear > Routed Connections: > sph-main{1}: ROUTED, TUNNEL, reqid 1 > sph-main{1}: x.x.0.0/16 === x.x.x.x/28 > Security Associations (1 up, 0 connecting): > sph-main[1]: ESTABLISHED 3 minutes ago, > x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] > sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, > pre-shared key reauthentication in 7 hours > sph-main[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 > sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{2}: x.x.0.0/16 === x.x.x.x/28 > sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{3}: x.x.0.0/16 === x.x.x.x/28 > sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{4}: x.x.0.0/16 === x.x.x.x/28 > sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{5}: x.x.0.0/16 === x.x.x.x/28 > sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{6}: x.x.0.0/16 === x.x.x.x/28 > sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours > sph-main{7}: x.x.0.0/16 === x.x.x.x/28 > sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i > d0a8e566_o > sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{8}: x.x.0.0/16 === x.x.x.x/28 > > Here are my logs: > > > Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from > /user.slice/user-x0.slice > Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500] > to x.x.x.x[500] (34x bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V > V V NAT-D NAT-D ] > Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID > Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: > 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f > Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID > Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending > keep alives > Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE > No NAT-D NAT-D ] > Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] > to x.x.x.x[500] (30x bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from > x.x.x.x[4500] to x.x.x.x[4500] (10x bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH > N(INITIAL_CONTACT) ] > Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer > configs matching x.x.x.x...x.x.x.x[x.x.x.x] > Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main" > Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established > between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x] > Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in > 2x02xs > Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs > Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID > HASH ] > Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500] > to x.x.x.x[4500] (76 bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from > x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request > 225x9x7323 [ HASH SA No KE ID ID ] > Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x00 lifebytes, > configured 0 > Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response > 225x9x7323 [ HASH SA No KE ID ID ] > Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500] > to x.x.x.x[4500] (396 bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from > x.x.x.x[4500] to x.x.x.x[4500] (60 bytes) > Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request > 225x9x7323 [ HASH ] > Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established > with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x > > > Jul 24 03:17:46
[strongSwan] Strongswan 5.6.3 rekey every 30 seconds
Have an issue I've never seen before. Connecting to a remote Cisco router. Have verified settings on the cisco, our rekey options look the same. We get an established connection, then 30 seconds later a rekey happens and it installs under the new one. This goes on forever. Here are the logs showing the original and 1 rekey. If allowed to continue the number of SA increments as such: Connections: sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s sph-main: local: [x.x.x.x] uses pre-shared key authentication sph-main: remote: [x.x.x.x] uses pre-shared key authentication sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear Routed Connections: sph-main{1}: ROUTED, TUNNEL, reqid 1 sph-main{1}: x.x.0.0/16 === x.x.x.x/28 Security Associations (1 up, 0 connecting): sph-main[1]: ESTABLISHED 3 minutes ago, x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, pre-shared key reauthentication in 7 hours sph-main[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{2}: x.x.0.0/16 === x.x.x.x/28 sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{3}: x.x.0.0/16 === x.x.x.x/28 sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{4}: x.x.0.0/16 === x.x.x.x/28 sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{5}: x.x.0.0/16 === x.x.x.x/28 sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{6}: x.x.0.0/16 === x.x.x.x/28 sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours sph-main{7}: x.x.0.0/16 === x.x.x.x/28 sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i d0a8e566_o sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 7 hours sph-main{8}: x.x.0.0/16 === x.x.x.x/28 Here are my logs: Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from /user.slice/user-x0.slice Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (34x bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ] Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending keep alives Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (30x bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (10x bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer configs matching x.x.x.x...x.x.x.x[x.x.x.x] Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main" Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x] Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in 2x02xs Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ] Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH SA No KE ID ID ] Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x00 lifebytes, configured 0 Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response 225x9x7323 [ HASH SA No KE ID ID ] Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (396 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (60 bytes) Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request 225x9x7323 [ HASH ] Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x Jul 24 03:17:46 ip-x-x-x-x charon: 05[IKE] sending DPD request Jul 24 03:17:46 ip-x-x-x-x charon: 05[ENC] generating INFORMATIONAL_V1 request 43665939 [ HASH N(DPD) ] Jul 24 03:17:46 ip-x-x-x-x charon: 05[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) Jul 24 03:17:46 ip-x-x-x-x charon: 07[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) Jul 24 03:17:46 ip-x-x-x-x charon: