You really need to get logs from the other side. Evidently, as shown by the logs you provided, _the other side_ is requesting those tunnels. And it is likely that you did not set the value correctly. In (/etc/strongswan.d/)charon.conf, the value should be set. Check if that is the case.
On 24.07.2018 17:25, Doug Tucker wrote: > Setting that value had a negative effect. Not only is it not deleting the > old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now > it creates 2 installed tunnels: > > > sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i > 968001a4_o > sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{8}: x.x.x.x/16 === x.x.x.x/28 > sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i > 7d27b8fb_o > sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 7 hours > sph-main{9}: x.x.x.x/16 === x.x.x.x/28 > > > > *Doug Tucker* > > Sr. Network Administrator > > *o: *817.975.5832* | *m: 817.975.5832 > > *e:* doug.tuc...@newscycle.com > > * * > > Newscycle Solutions <http://www.newscycle.com/> > > *Breakthrough technologies for media* > > * * > > *Twitter <http://www.twitter.com/newscycle_news>** | Facebook > <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin > <https://www.linkedin.com/company/newscycle-solutions>*** > > * * > > CONFIDENTIALITY NOTICE: The contents of this email message and any > attachments are intended solely for the addressee(s) and may contain > confidential and/or privileged information and may be legally protected from > disclosure. If you are not the intended recipient of this message or their > agent, or if this message has been addressed to you in error, please > immediately alert the sender by reply email and then delete this message and > any attachments. If you are not the intended recipient, you are hereby > notified that any use, dissemination, copying, or storage of this message or > its attachments is strictly prohibited. > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > *From:* Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> > *Sent:* Tuesday, July 24, 2018 4:02:13 AM > *To:* Doug Tucker; users@lists.strongswan.org > *Subject:* Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds > > Hi, > > You can use charon.delete_rekeyed = yes. But the better solution is to check > the logs of the CISCO side to understand why it is doing that. > > Kind regards > > Noel > > On 24.07.2018 05:29, Doug Tucker wrote: >> >> Have an issue I've never seen before. Connecting to a remote Cisco router. >> Have verified settings on the cisco, our rekey options look the same. We >> get an established connection, then 30 seconds later a rekey happens and it >> installs under the new one. This goes on forever. Here are the logs >> showing the original and 1 rekey. If allowed to continue the number of SA >> increments as such: >> >> >> Connections: >> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s >> sph-main: local: [x.x.x.x] uses pre-shared key authentication >> sph-main: remote: [x.x.x.x] uses pre-shared key authentication >> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear >> Routed Connections: >> sph-main{1}: ROUTED, TUNNEL, reqid 1 >> sph-main{1}: x.x.0.0/16 === x.x.x.x/28 >> Security Associations (1 up, 0 connecting): >> sph-main[1]: ESTABLISHED 3 minutes ago, >> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] >> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*, >> pre-shared key reauthentication in 7 hours >> sph-main[1]: IKE proposal: >> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{2}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{3}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{4}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{5}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{6}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours >> sph-main{7}: x.x.0.0/16 === x.x.x.x/28 >> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i >> d0a8e566_o >> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, >> rekeying in 7 hours >> sph-main{8}: x.x.0.0/16 === x.x.x.x/28 >> >> Here are my logs: >> >> >> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from >> /user.slice/user-x0.slice >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from >> x.x.x.x[500] to x.x.x.x[500] (34x bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No >> V V V NAT-D NAT-D ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID: >> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending >> keep alives >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [ >> KE No NAT-D NAT-D ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500] >> to x.x.x.x[500] (30x bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (10x bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID >> HASH N(INITIAL_CONTACT) ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer >> configs matching x.x.x.x...x.x.x.x[x.x.x.x] >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main" >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established >> between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x] >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in >> 2x02xs >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [ >> ID HASH ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (76 bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request >> 225x9x7323 [ HASH SA No KE ID ID ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x000000 lifebytes, >> configured 0 >> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response >> 225x9x7323 [ HASH SA No KE ID ID ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (396 bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (60 bytes) >> Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request >> 225x9x7323 [ HASH ] >> Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established >> with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x >> >> >> Jul 24 03:17:46 ip-x-x-x-x charon: 05[IKE] sending DPD request >> Jul 24 03:17:46 ip-x-x-x-x charon: 05[ENC] generating INFORMATIONAL_V1 >> request 43665939 [ HASH N(DPD) ] >> Jul 24 03:17:46 ip-x-x-x-x charon: 05[NET] sending packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) >> Jul 24 03:17:46 ip-x-x-x-x charon: 07[NET] received packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) >> Jul 24 03:17:46 ip-x-x-x-x charon: 07[ENC] parsed INFORMATIONAL_V1 request >> 1316377373 [ HASH N(DPD_ACK) ] >> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[IKE] sending DPD request >> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[ENC] generating INFORMATIONAL_V1 >> request 2941x32606 [ HASH N(DPD) ] >> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[NET] sending packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) >> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[NET] received packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) >> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[ENC] parsed INFORMATIONAL_V1 request >> 465745044 [ HASH N(DPD_ACK) ] >> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] received packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes) >> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] parsed QUICK_MODE request >> 1506132661 [ HASH SA No KE ID ID ] >> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] received 460x000000 lifebytes, >> configured 0 >> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] detected rekeying of CHILD_SA >> sph-main{2} >> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] generating QUICK_MODE response >> 1506132661 [ HASH SA No KE ID ID ] >> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] sending packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (396 bytes) >> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[NET] received packet: from >> x.x.x.x[4500] to x.x.x.x[4500] (60 bytes) >> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[ENC] parsed QUICK_MODE request >> 1506132661 [ HASH ] >> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[IKE] CHILD_SA sph-main{3} established >> with SPIs c3cf290a_i 1cab665a_o and TS x.x.0.0/16 === x.x.x.x/2x >> >> Thank you in advance for any insight into resolving this. >> >> >> Sincerely, >> >> >> *Doug Tucker* >> >> >> >
signature.asc
Description: OpenPGP digital signature