You really need to get logs from the other side. Evidently, as shown by the logs you provided, _the other side_ is requesting those tunnels. And it is likely that you did not set the value correctly. In (/etc/strongswan.d/)charon.conf, the value should be set. Check if that is the case.
On 24.07.2018 17:25, Doug Tucker wrote:
> Setting that value had a negative effect. Not only is it not deleting the
> old rekeys (they continue to accumulate at 1 every 30 seconds or so), but now
> it creates 2 installed tunnels:
>
>
> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf1f516_i
> 968001a4_o
> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{8}: x.x.x.x/16 === x.x.x.x/28
> sph-main{9}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c57fde42_i
> 7d27b8fb_o
> sph-main{9}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
> rekeying in 7 hours
> sph-main{9}: x.x.x.x/16 === x.x.x.x/28
>
>
>
> *Doug Tucker*
>
> Sr. Network Administrator
>
> *o: *817.975.5832* | *m: 817.975.5832
>
> *e:* doug.tuc...@newscycle.com
>
> * *
>
> Newscycle Solutions <http://www.newscycle.com/>
>
> *Breakthrough technologies for media*
>
> * *
>
> *Twitter <http://www.twitter.com/newscycle_news>** | Facebook
> <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin
> <https://www.linkedin.com/company/newscycle-solutions>***
>
> * *
>
> CONFIDENTIALITY NOTICE: The contents of this email message and any
> attachments are intended solely for the addressee(s) and may contain
> confidential and/or privileged information and may be legally protected from
> disclosure. If you are not the intended recipient of this message or their
> agent, or if this message has been addressed to you in error, please
> immediately alert the sender by reply email and then delete this message and
> any attachments. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, copying, or storage of this message or
> its attachments is strictly prohibited.
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting>
> *Sent:* Tuesday, July 24, 2018 4:02:13 AM
> *To:* Doug Tucker; users@lists.strongswan.org
> *Subject:* Re: [strongSwan] Strongswan 5.6.3 rekey every 30 seconds
>
> Hi,
>
> You can use charon.delete_rekeyed = yes. But the better solution is to check
> the logs of the CISCO side to understand why it is doing that.
>
> Kind regards
>
> Noel
>
> On 24.07.2018 05:29, Doug Tucker wrote:
>>
>> Have an issue I've never seen before. Connecting to a remote Cisco router.
>> Have verified settings on the cisco, our rekey options look the same. We
>> get an established connection, then 30 seconds later a rekey happens and it
>> installs under the new one. This goes on forever. Here are the logs
>> showing the original and 1 rekey. If allowed to continue the number of SA
>> increments as such:
>>
>>
>> Connections:
>> sph-main: x.x.x.x...x.x.x.x IKEv1, dpddelay=15s
>> sph-main: local: [x.x.x.x] uses pre-shared key authentication
>> sph-main: remote: [x.x.x.x] uses pre-shared key authentication
>> sph-main: child: x.x.0.0/16 === x.x.x.x/28 TUNNEL, dpdaction=clear
>> Routed Connections:
>> sph-main{1}: ROUTED, TUNNEL, reqid 1
>> sph-main{1}: x.x.0.0/16 === x.x.x.x/28
>> Security Associations (1 up, 0 connecting):
>> sph-main[1]: ESTABLISHED 3 minutes ago,
>> x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
>> sph-main[1]: IKEv1 SPIs: 6a4fba86489e9e61_i a244a0079084bf87_r*,
>> pre-shared key reauthentication in 7 hours
>> sph-main[1]: IKE proposal:
>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> sph-main{2}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{2}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{3}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{3}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{4}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{4}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{5}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{5}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{6}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{6}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{7}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
>> sph-main{7}: x.x.0.0/16 === x.x.x.x/28
>> sph-main{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c781d0ed_i
>> d0a8e566_o
>> sph-main{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o,
>> rekeying in 7 hours
>> sph-main{8}: x.x.0.0/16 === x.x.x.x/28
>>
>> Here are my logs:
>>
>>
>> Jul 24 03:17:31 ip-x-x-x-x journal: Suppressed 379 messages from
>> /user.slice/user-x0.slice
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] received packet: from
>> x.x.x.x[500] to x.x.x.x[500] (34x bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] parsed ID_PROT request 0 [ KE No
>> V V V NAT-D NAT-D ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received DPD vendor ID
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] received unknown vendor ID:
>> 9f:xx:1d:9b:4x:9f:9e:61:5e:40:3x:7e:a5:6a:96:1f
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] received XAuth vendor ID
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[IKE] local host is behind NAT, sending
>> keep alives
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[ENC] generating ID_PROT response 0 [
>> KE No NAT-D NAT-D ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 11[NET] sending packet: from x.x.x.x[500]
>> to x.x.x.x[500] (30x bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] received packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (10x bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] parsed ID_PROT request 0 [ ID
>> HASH N(INITIAL_CONTACT) ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] looking for pre-shared key peer
>> configs matching x.x.x.x...x.x.x.x[x.x.x.x]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[CFG] selected peer config "sph-main"
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] IKE_SA sph-main[1] established
>> between x.x.x.x[13.251.151.1x]...x.x.x.x[x.x.x.x]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] scheduling reauthentication in
>> 2x02xs
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[IKE] maximum IKE_SA lifetime 2x56xs
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[ENC] generating ID_PROT response 0 [
>> ID HASH ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 12[NET] sending packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] received packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] parsed QUICK_MODE request
>> 225x9x7323 [ HASH SA No KE ID ID ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 14[IKE] received 460x000000 lifebytes,
>> configured 0
>> Jul 24 03:17:31 ip-x-x-x-x charon: 14[ENC] generating QUICK_MODE response
>> 225x9x7323 [ HASH SA No KE ID ID ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 14[NET] sending packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (396 bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 15[NET] received packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (60 bytes)
>> Jul 24 03:17:31 ip-x-x-x-x charon: 15[ENC] parsed QUICK_MODE request
>> 225x9x7323 [ HASH ]
>> Jul 24 03:17:31 ip-x-x-x-x charon: 15[IKE] CHILD_SA sph-main{2} established
>> with SPIs cx2f9f6f_i c4cx6290_o and TS x.x.0.0/16 === x.x.x.x/2x
>>
>>
>> Jul 24 03:17:46 ip-x-x-x-x charon: 05[IKE] sending DPD request
>> Jul 24 03:17:46 ip-x-x-x-x charon: 05[ENC] generating INFORMATIONAL_V1
>> request 43665939 [ HASH N(DPD) ]
>> Jul 24 03:17:46 ip-x-x-x-x charon: 05[NET] sending packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
>> Jul 24 03:17:46 ip-x-x-x-x charon: 07[NET] received packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
>> Jul 24 03:17:46 ip-x-x-x-x charon: 07[ENC] parsed INFORMATIONAL_V1 request
>> 1316377373 [ HASH N(DPD_ACK) ]
>> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[IKE] sending DPD request
>> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[ENC] generating INFORMATIONAL_V1
>> request 2941x32606 [ HASH N(DPD) ]
>> Jul 24 03:1x:01 ip-x-x-x-x charon: 09[NET] sending packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
>> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[NET] received packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
>> Jul 24 03:1x:01 ip-x-x-x-x charon: 10[ENC] parsed INFORMATIONAL_V1 request
>> 465745044 [ HASH N(DPD_ACK) ]
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] received packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (3x0 bytes)
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] parsed QUICK_MODE request
>> 1506132661 [ HASH SA No KE ID ID ]
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] received 460x000000 lifebytes,
>> configured 0
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[IKE] detected rekeying of CHILD_SA
>> sph-main{2}
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[ENC] generating QUICK_MODE response
>> 1506132661 [ HASH SA No KE ID ID ]
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 11[NET] sending packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (396 bytes)
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[NET] received packet: from
>> x.x.x.x[4500] to x.x.x.x[4500] (60 bytes)
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[ENC] parsed QUICK_MODE request
>> 1506132661 [ HASH ]
>> Jul 24 03:1x:02 ip-x-x-x-x charon: 12[IKE] CHILD_SA sph-main{3} established
>> with SPIs c3cf290a_i 1cab665a_o and TS x.x.0.0/16 === x.x.x.x/2x
>>
>> Thank you in advance for any insight into resolving this.
>>
>>
>> Sincerely,
>>
>>
>> *Doug Tucker*
>>
>>
>>
>
signature.asc
Description: OpenPGP digital signature
