I’ve setup strongSwan 5.1.0 on Debian and have both OS X (Mavericks) and
Windows (7) clients connecting to it successfully. However, it appears that
after a VPN connection has been up for a while, it gets disconnected after a
couple of hours (last time I tested this it disconnected after roughly 1.5
hours). When observing one session today, it seemed like it was able to rekey
fine the first time, but the disconnect happened after it rekeyed around the
second time.
I was able to get some logs around the time the disconnect happens. Note that
the timestamps between the two sides are not exactly in sync.
OS X client - /var/log/system.log:
Feb 4 11:02:13 Alexs-MacBook-Pro.local racoon[5427]: IKE Packet: transmit
success. (Information message).
Feb 4 11:02:13 Alexs-MacBook-Pro.local configd[18]: IPSec Controller: IKE
FAILED. phase 6, assert 0
Feb 4 11:02:13 Alexs-MacBook-Pro.local racoon[5427]: IKEv1 Information-Notice:
transmit success. (Without ISAKMP-SA).
Feb 4 11:02:13 Alexs-MacBook-Pro.local racoon[5427]: Can't start the quick
mode, there is no ISAKMP-SA, 05ba0be93cdee729:0d01ae3c3e777e50:00008326
Feb 4 11:02:13 Alexs-MacBook-Pro.local configd[18]: IPSec disconnecting from
server xxx.xxx.xxx.xxx
Feb 4 11:02:13 Alexs-MacBook-Pro.local racoon[5427]: IPSec disconnecting from
server xxx.xxx.xxx.xxx
Feb 4 11:02:13 Alexs-MacBook-Pro.local racoon[5427]: IKE Packet: transmit
failed. (Information message).
Feb 4 11:02:13 Alexs-MacBook-Pro.local racoon[5427]: IKEv1 Information-Notice:
transmit failed. (Delete IPSEC-SA).
Feb 4 11:02:13 Alexs-MacBook-Pro.local configd[18]: installed routes:
addresses 172.23.16/24, gateway 172.23.16.211
Feb 4 11:02:13 Alexs-MacBook-Pro kernel[0]: SIOCPROTODETACH_IN6: utun0 error=6
Feb 4 11:02:13 Alexs-MacBook-Pro.local racoon[5427]: IPSec disconnecting from
server xxx.xxx.xxx.xxx
strongSwan server - /var/log/syslog:
Feb 4 11:02:49 router charon: 11[KNL] creating rekey job for ESP CHILD_SA with
SPI c07145f2 and reqid {144}
Feb 4 11:02:49 router charon: 11[ENC] generating QUICK_MODE request 2200340093
[ HASH SA No ID ID ]
Feb 4 11:02:49 router charon: 11[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (300 bytes)
Feb 4 11:02:53 router charon: 05[IKE] sending retransmit 1 of request message
ID 2200340093, seq 6
Feb 4 11:02:53 router charon: 05[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (300 bytes)
Feb 4 11:03:00 router charon: 11[IKE] sending retransmit 2 of request message
ID 2200340093, seq 6
Feb 4 11:03:00 router charon: 11[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (300 bytes)
strongSwan server - /etc/ipsec.conf:
config setup
conn %default
compress=yes
ike=aes256-sha2_384-modp2048
esp=aes256-sha2_384
auto=add
type=tunnel
left=%defaultroute
leftsubnet=172.23.16.0/24
leftcert=<cert filename>
right=%any
eap_identity=%any
conn ikev1
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
rightsourceip=172.23.16.208/28
conn ikev2
keyexchange=ikev2
rightauth=eap-mschapv2
rightsourceip=172.23.16.192/28
What should I change to fix this issue?
Alex
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
