Below is the strongSwan config which I have complete control over:
conn school-tunnel02
type=tunnel
auto=start
keyexchange=ikev1
ikelifetime=25h
#keylife=480m
# 28800s = 8h
#lifetime=28800s
lifetime=86400s
#margintime=19m
## commented above line and added below line - 20130909 - Izz
rekey=no
# above line setting rekey=no had no affect on 6 hour timeout of tunnel
#dpdaction=restart
#dpddelay=30s
authby=secret
auth=esp
ike=3des-sha1-modp1024!
esp=3des-sha1!
left=10.10.100.221
leftid=wepa
leftsubnet=10.10.100.0/24
leftfirewall=yes
right=XXX.YYY.2.20
rightid=XXX.YYY.2.20
rightsubnet=XXX.YYY.43.0/24
I have requested the admin on the other end of the tunnel to change the
lifetime to 24h which they have done, and it made no difference. The tunnel is
dropping at exactly every 6 hours. Here are the logs from the drop time:
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V
V V ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received NAT-T (RFC 3947) vendor
ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] received FRAGMENTATION vendor ID
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[IKE] XXX.YYY.2.20 is initiating a Main
Mode IKE_SA
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[ENC] generating ID_PROT response 0 [
SA V V V ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 16[NET] sending packet: from
10.10.100.221[4500] to XXX.YYY.2.20[4500] (132 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[NET] received packet: from
XXX.YYY.2.20[4500] to 10.10.100.221[4500] (304 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[ENC] parsed ID_PROT request 0 [ KE No
V V V V NAT-D NAT-D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[IKE] local host is behind NAT, sending
keep alives
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[ENC] generating ID_PROT response 0 [
KE No NAT-D NAT-D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 13[NET] sending packet: from
10.10.100.221[4500] to XXX.YYY.2.20[4500] (244 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[NET] received packet: from
XXX.YYY.2.20[4500] to 10.10.100.221[4500] (84 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[ENC] parsed ID_PROT request 0 [ ID
HASH V ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[CFG] looking for pre-shared key peer
configs matching 10.10.100.221...XXX.YYY.2.20[XXX.YYY.2.20]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[CFG] selected peer config
"school-tunnel02"
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] deleting duplicate IKE_SA for
peer 'XXX.YYY.2.20' due to uniqueness policy
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] deleting IKE_SA
school-tunnel02[144] between 10.10.100.221[wepa]...XXX.YYY.2.20[XXX.YYY.2.20]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] sending DELETE for IKE_SA
school-tunnel02[144]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[ENC] generating INFORMATIONAL_V1
request 3554893475 [ HASH D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[NET] sending packet: from
10.10.100.221[4500] to XXX.YYY.2.20[4500] (84 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[IKE] IKE_SA school-tunnel02[152]
established between 10.10.100.221[wepa]...XXX.YYY.2.20[XXX.YYY.2.20]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[ENC] generating ID_PROT response 0 [
ID HASH ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 15[NET] sending packet: from
10.10.100.221[4500] to XXX.YYY.2.20[4500] (68 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[NET] received packet: from
XXX.YYY.2.20[4500] to 10.10.100.221[4500] (68 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[ENC] parsed INFORMATIONAL_V1 request
3654723502 [ HASH D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[IKE] received DELETE for ESP CHILD_SA
with SPI aadc2798
Sep 15 16:34:02 bhm-ipsec-221 charon: 14[IKE] closing CHILD_SA
school-tunnel02{22} with SPIs c1777483_i (12096 bytes) aadc2798_o (15552 bytes)
and TS 10.10.100.0/24 === XXX.YYY.43.0/24
Sep 15 16:34:02 bhm-ipsec-221 vpn: - XXX.YYY.2.20 XXX.YYY.43.0/24 ==
XXX.YYY.2.20 -- 10.10.100.221 == 10.10.100.0/24
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[NET] received packet: from
XXX.YYY.2.20[4500] to 10.10.100.221[4500] (84 bytes)
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[ENC] parsed INFORMATIONAL_V1 request
2406045800 [ HASH D ]
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[IKE] received DELETE for IKE_SA
school-tunnel02[152]
Sep 15 16:34:02 bhm-ipsec-221 charon: 10[IKE] deleting IKE_SA
school-tunnel02[152] between 10.10.100.221[wepa]...XXX.YYY.2.20[XXX.YYY.2.20]
I am running CentOS 6.4 x86_64 with kernel 2.6.32 and strongSwan 5.0.4 from the
EPEL repo from CentOS. (this is not a compile from source)
Here is the output of 'strongswan version':
Linux strongSwan U5.0.4/K2.6.32-358.14.1.el6.x86_64
I have two strongSwan instances setup between the same box and another in
Amazon AWS Cloud for site-to-site to our DR, and the tunnel never goes down.
Traffic passes through this problematic tunnel as it should and everything is
great until 6 hours passes. I have configured a bash script that runs on a */1
minute cron to check the tunnel and if it is down it brings the tunnel back up
and emails me. This is how I have been able to keep timestamps. As you can
see in the logs, it appears to be a renego that goes wrong, but all within the
same 1 second. My cronjob picks it up at 16:35 in the above case, sees the
tunnel down, runs a strongswan up school-tunnel02 and mails me the output of
the command, showing success. This continues each and every 6 hours like
clockwork.
I appreciate any input. I can probably find the configs sent to me by the
admin on the other end with the Cisco ASA, but I can assure you the initial
tunnel lifetime was set to 8 hours (28,800s), so I am having problem believing
the ASA is doing this, even after a change to 86,400s.
Ideas please?
Thanks,
Izz
Izz Abdullah
Senior Systems Engineer
[email protected]<mailto:[email protected]>
www.wepanow.com<http://www.wepanow.com>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
