Hi George, "Make-before-break: This method first creates duplicates of the IKE and all IPsec SAs overlapping with the existing ones and then deletes the old ones. This avoids interruptions but requires that both peers can handle overlapping SAs (e.g. in regards to virtual IPs, duplicate policies or updown scripts). It is supported for IKEv2 since 5.3.0 but is disabled by default and may be enabled with the charon.make_before_break strongswan.conf setting." and more useful information at https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
On 08.12.2020 18:25, george live wrote:
Hi, I have strongswan running ikev2 on aws peering with a cisco asa. The tunnel comes up fine but the problem is whenever the rekeying happens, I see the data traffic coming down. I have bgp running over IPsec and the tcp reset happens whenever the reset happens. Is there any known issue with Strongswan that causes this problem? Below are some of the traces: Logs showing the rekeying ====================== 1) cat /var/log/messages | grep 'restarting CHILD_SA' Dec 8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC Dec 8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC 2) Bgp output showing reset at same time and this is very consistent every 28800 secs bird> show protocols name proto table state since info ABC_BGP BGP master up 14:55:50 Established bird> 2) ipsec statusall no files found matching '/etc/strongswan.conf' Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.0-116-generic, x86_64): uptime: 9 hours, since Dec 08 07:13:17 2020 malloc: sbrk 2416640, mmap 0, used 456256, free 1960384 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic Listening IP addresses: 169.254.254.2 a.b.c.d xx.yy.xx.yy Connections: ABC: our_ip...customer_ip IKEv2, dpddelay=10s ABC: local: [our_ip] uses pre-shared key authentication ABC: remote: uses pre-shared key authentication ABC: child: 0.0.0.0/0 <http://0.0.0.0/0> === 0.0.0.0/0 <http://0.0.0.0/0> TUNNEL, dpdaction=restart Routed Connections: ABC{1}: ROUTED, TUNNEL, reqid 1 ABC{1}: 0.0.0.0/0 <http://0.0.0.0/0> === 0.0.0.0/0 <http://0.0.0.0/0> Security Associations (1 up, 0 connecting): ABC[2]: ESTABLISHED 100 minutes ago, our_ip[our_ip]...cust_ip[cust_ip] ABC[2]: IKEv2 SPIs: dbd89039dce34530_i* c205c6cc199e40b9_r, pre-shared key reauthentication in 6 hours ABC[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 ABC{17}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c069ca3b_i 677c60a0_o ABC{17}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 70685706 bytes_i (67965 pkts, 0s ago), 15688776 bytes_o (43835 pkts, 0s ago), rekeying in 35 minutes ABC{17}: 0.0.0.0/0 <http://0.0.0.0/0> === 0.0.0.0/0 <http://0.0.0.0/0> ABC{18}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccde01ee_i 1bea569d_o ABC{18}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 8469388 bytes_i (9394 pkts, 0s ago), 5230408 bytes_o (8191 pkts, 0s ago), rekeying in 47 minutes ABC{18}: 0.0.0.0/0 <http://0.0.0.0/0> === 0.0.0.0/0 <http://0.0.0.0/0> 3) IPSec config cat /etc/ipsec.conf config setup charondebug="ike 1, knl 0, cfg 0" conn ABC authby=secret auto=route dpddelay=10 dpdtimeout=30 dpdaction=restart esp=aes256-sha256-modp2048 ike=aes256-sha256-modp2048 ikelifetime=28800s lifetime=1h keyexchange=ikev2 keyingtries=%forever rekey=yes margintime=9m # Specifics left=our_ip # Local private ip leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> # Local VPC Subnet leftid=our_ip leftfirewall=yes rightfirewall=no right=cust_ip # Remote Tunnel IP rightid=%any rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> # Remote VPC Subnet type=tunnel mark=1000 4) Charon config cat /etc/strongswan.d/charon.conf # Options for the charon IKE daemon. # Do not install routes, otherwise you'll need to 'ip route del table 220 default' for VTI routing to work charon { install_routes = no install_virtual_ip = no make_before_break = yes delete_rekeyed_delay = 10 } Are there any special configs that will not disrupt the data payload traffic during the ikev2 rekeying ? Best, Vick
-- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison