[strongSwan] Rekeying not working to bintec R3000

Wed, 07 Nov 2012 23:42:06 -0800 

Dear Developers/Users,

first of all - thank you for your software - it's awesome and serves quite well 
for several hundred customers at our site every day.

We're using Linux strongSwan U4.5.1/K2.6.26-2-686f
At customer site Bintec R3000 version V.7.9 Rev. 5 (Patch 4) IPSec from 
2010/12/21 00:00:00

To the customer with a bintec router we have the problem, that after the phase2 
Lifetime is expired, no rekeeying is successful hence the tunnel is down. This 
is happening at around 8 hours all the time.

Not only a ipsec down & ipsec up is restarting the tunnel. We have to do the 
following:

add auto=ignore to the connection
ipsec update
remove the auto=ignore
ipsec update

and only now we're able to bring up the tunnel.

Please find attached the configuration from both sides:

bintec: Phase1

   Description (Idx 2) :    support
   Proposal              :  6 (DES3/SHA1)
   Lifetime Policy       :  Propose this lifetime, accept and use all proposals
                            Seconds: 28800       KBytes: 50000
   Group                 :  2 (1024 bit MODP)
   Authentication Method :  Pre Shared Keys
   Mode                  :  id_protect
   Alive Check           :  none
   Block Time            :  -1
   Local ID              :  customer-ip
   Local Certificate     :  none
   CA Certificates       :
   Nat-Traversal         :  enabled


bintec: Phase2

   Description (Idx 1) :    support

   Proposal              :  7 (ESP(DES3/SHA1) no Comp)
   Lifetime Policy       :  Propose this lifetime, accept and use all proposals
                            Seconds: 28800       KBytes: 50000
   Use PFS               :  group 2 (1024 bit MODP)
   Alive Check           :  none
   Propagate PMTU        :  no


Strongswan:

config setup
        nat_traversal=yes
        charonstart=yes
        plutostart=yes
        plutodebug=control
        plutostderrlog=/var/log/strongswan/pluto.log
        charondebug=control
        strictcrlpolicy=no

#Default Settings
conn %default
        type=tunnel
        left=our-pub-ip
        leftnexthop=gw
        leftsubnet=our-localnet
        leftid=our-id
        keyexchange=ikev1
        authby=secret
        ike=aes256-sha1-modp1024
        ikelifetime=8h #28800 secs
        rekeymargin=3m
        keyingtries=1
        auth=esp
        esp=aes256-sha1
        keylife=1h #3600secs
        pfs=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        compress=no
        mobike=no
        auto=start


conn customer
        right=customer-pub-id
        rightid=customer-id
        rightsubnet=network1/23
        esp=3des-sha1
        ike=3des-sha1-modp1024
        keylife=28800

conn customer
        right=customer-pub-id
        rightid=customer-id
        rightsubnet=network2/24
        esp=3des-sha1
        ike=3des-sha1-modp1024
        keylife=28800


It would be great to get some input as this is driving us nuts.
Any help is greatly appreciated.


Kind regards

Stefan Bauer

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to