Update:
I was able to catch the failure happen. This is a grepped charon.log. The
failure was detected by my NMS between 13:26 and 13:27. Why am I continually
experiencing issues with my IKEv1 tunnels? Does anyone have any insight into
this?
Jul 21 13:25:16 02[IKE] <customer-sa-01|100> queueing QUICK_DELETE task
Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating new tasks
Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating QUICK_DELETE task
Jul 21 13:25:16 02[IKE] <customer-sa-01|100> closing expired CHILD_SA
customer-sa-07{18} with SPIs ca4c0040_i 8ef96c82_o and TS a.b.c.0/24 ===
d.e.0.0/16
Jul 21 13:25:16 02[IKE] <customer-sa-01|100> sending DELETE for ESP CHILD_SA
with SPI ca4c0040
Jul 21 13:25:16 02[ENC] <customer-sa-01|100> generating INFORMATIONAL_V1
request 1724216626 [ HASH D ]
Jul 21 13:25:16 02[NET] <customer-sa-01|100> sending packet: from f.g.h.i[4500]
to j.k.l.m[4500] (76 bytes)
Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating new tasks
Jul 21 13:25:16 02[IKE] <customer-sa-01|100> nothing to initiate
Jul 21 13:25:16 08[NET] sending packet: from f.g.h.i[4500] to j.k.l.m[4500]
Jul 21 13:25:16 14[IKE] <customer-sa-01|100> queueing QUICK_DELETE task
Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating new tasks
Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating QUICK_DELETE task
Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating new tasks
Jul 21 13:25:16 14[IKE] <customer-sa-01|100> nothing to initiate
Jul 21 13:29:07 13[IKE] <customer-sa-01|100> sending keep alive to j.k.l.m[4500]
Jul 21 13:29:07 08[NET] sending packet: from f.g.h.i[4500] to j.k.l.m[4500]
Jul 21 13:29:23 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
Jul 21 13:29:23 01[NET] <109> received packet: from j.k.l.m[500] to
f.g.h.i[500] (264 bytes)
Jul 21 13:29:23 01[IKE] <109> j.k.l.m is initiating a Main Mode IKE_SA
Jul 21 13:29:23 01[NET] <109> sending packet: from f.g.h.i[500] to j.k.l.m[500]
(140 bytes)
Jul 21 13:29:23 08[NET] sending packet: from f.g.h.i[500] to j.k.l.m[500]
Jul 21 13:29:23 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
Jul 21 13:29:23 15[NET] <109> received packet: from j.k.l.m[500] to
f.g.h.i[500] (100 bytes)
Jul 21 13:29:24 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
Jul 21 13:29:24 14[NET] <110> received packet: from j.k.l.m[500] to
f.g.h.i[500] (264 bytes)
Jul 21 13:29:24 14[IKE] <110> j.k.l.m is initiating a Main Mode IKE_SA
Jul 21 13:29:24 14[NET] <110> sending packet: from f.g.h.i[500] to j.k.l.m[500]
(140 bytes)
Jul 21 13:29:24 08[NET] sending packet: from f.g.h.i[500] to j.k.l.m[500]
Jul 21 13:29:24 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
Jul 21 13:29:24 02[NET] <110> received packet: from j.k.l.m[500] to
f.g.h.i[500] (100 bytes)
Jul 21 13:29:25 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
Jul 21 13:29:25 13[NET] <111> received packet: from j.k.l.m[500] to
f.g.h.i[500] (264 bytes)
Jul 21 13:29:25 13[IKE] <111> j.k.l.m is initiating a Main Mode IKE_SA
-------------------Original post:------------------
Hello All,
I'm currently running this config on an active strongswan box. I am running
CentOS 6.5 (fully patched) along side of strongswan version "Linux strongSwan
U5.0.4/K2.6.32-431.3.1.el6.x86_6"
We upgraded a while back from a version that still used pluto to this new
version (which uses charon) We've started to experience random conn drops
(primarilly on sa-01 and sa-05. The only way to resolve this that I've found
is to perform a 'service strongswan restart' This is not the only conn which
experiences this, so I'm thinking this may be a configuration issue or a bug.
The problem is, is I don't necessarily know much about ipsec. I'm hoping
someone can help me out. Can anyone? Please?
conn customer-sa-01
auto=start
rightsubnet=A.0.0.0/8
also=customer-default
conn customer-sa-02
auto=start
rightsubnet=B.C.0.0/16
also=customer-default
conn customer-sa-03
auto=start
rightsubnet=D.E.0.0/16
also=customer-default
conn customer-sa-04
auto=start
rightsubnet=F.G.0.0/15
also=customer-default
conn customer-sa-05
auto=start
rightsubnet=H.I.0.0/15
also=customer-default
conn customer-sa-06
auto=start
rightsubnet=J.K.0.0/16
also=customer-default
conn customer-sa-07
auto=start
rightsubnet=L.M.0.0/16
also=customer-default
conn customer-sa-08
auto=start
rightsubnet=N.O.P.Q/32
also=customer-default
conn customer-default
keyingtries=%forever
authby=secret
left=R.S.T.U
leftsubnet=V.W.X.0/24
right=Y.Z.AA.BB
rightallowany=yes
keyexchange=ikev1
ikelifetime=480m
keylife=3600s
mobike=no
ike=aes256-sha1-modp1024
esp=3des-md5
_____________________________________________________________ This e-mail
transmission contains information that is confidential and may be privileged.
It is intended only for the addressee(s) named above. If you receive this
e-mail in error, please do not read, copy or disseminate it in any manner. If
you are not the intended recipient, any disclosure, copying, distribution or
use of the contents of this information is prohibited. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please erase it from your computer system. Your assistance in
correcting this error is appreciated.
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
