Hi Volodymyr, I disabled reauth and that fixed the problem. Thanks, George
On Tue, Dec 8, 2020 at 8:25 AM george live <georgelive2...@gmail.com> wrote: > Hi, > I have strongswan running ikev2 on aws peering with a cisco asa. The > tunnel comes up fine but the problem is whenever the rekeying happens, I > see the data traffic coming down. I have bgp running over IPsec and the tcp > reset happens whenever the reset happens. Is there any known issue with > Strongswan that causes this problem? > > Below are some of the traces: > > Logs showing the rekeying > > ====================== > > 1) > > cat /var/log/messages | grep 'restarting CHILD_SA' > > Dec 8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC > > Dec 8 14:55:40 xxyy charon: 08[IKE] restarting CHILD_SA ABC > > > > 2) > > Bgp output showing reset at same time and this is very consistent every > 28800 secs > > > > bird> show protocols > > name proto table state since info > > ABC_BGP BGP master up 14:55:50 Established > > bird> > > > > 2) > > ipsec statusall > > no files found matching '/etc/strongswan.conf' > > Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.0-116-generic, > x86_64): > > uptime: 9 hours, since Dec 08 07:13:17 2020 > > malloc: sbrk 2416640, mmap 0, used 456256, free 1960384 > > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 4 > > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey > pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve > socket-default stroke vici updown xauth-generic > > Listening IP addresses: > > 169.254.254.2 > > a.b.c.d > > xx.yy.xx.yy > > Connections: > > ABC: our_ip...customer_ip IKEv2, dpddelay=10s > > ABC: local: [our_ip] uses pre-shared key authentication > > ABC: remote: uses pre-shared key authentication > > ABC: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart > > Routed Connections: > > ABC{1}: ROUTED, TUNNEL, reqid 1 > > ABC{1}: 0.0.0.0/0 === 0.0.0.0/0 > > Security Associations (1 up, 0 connecting): > > ABC[2]: ESTABLISHED 100 minutes ago, > > our_ip[our_ip]...cust_ip[cust_ip] > > ABC[2]: IKEv2 SPIs: dbd89039dce34530_i* c205c6cc199e40b9_r, pre-shared > key reauthentication in 6 hours > > ABC[2]: IKE proposal: > AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > > ABC{17}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c069ca3b_i > 677c60a0_o > > ABC{17}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 70685706 bytes_i > (67965 pkts, 0s ago), 15688776 bytes_o (43835 pkts, 0s ago), rekeying in 35 > minutes > > ABC{17}: 0.0.0.0/0 === 0.0.0.0/0 > > ABC{18}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccde01ee_i > 1bea569d_o > > ABC{18}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 8469388 bytes_i > (9394 pkts, 0s ago), 5230408 bytes_o (8191 pkts, 0s ago), rekeying in 47 > minutes > > ABC{18}: 0.0.0.0/0 === 0.0.0.0/0 > > 3) IPSec config > > > > cat /etc/ipsec.conf > > > > config setup > > charondebug="ike 1, knl 0, cfg 0" > > conn ABC > > authby=secret > > auto=route > > dpddelay=10 > > dpdtimeout=30 > > dpdaction=restart > > esp=aes256-sha256-modp2048 > > ike=aes256-sha256-modp2048 > > ikelifetime=28800s > > lifetime=1h > > keyexchange=ikev2 > > keyingtries=%forever > > rekey=yes > > margintime=9m > > # Specifics > > left=our_ip # Local private ip > > leftsubnet=0.0.0.0/0 # Local VPC Subnet > > leftid=our_ip > > leftfirewall=yes > > rightfirewall=no > > right=cust_ip # Remote Tunnel IP > > rightid=%any > > rightsubnet=0.0.0.0/0 # Remote VPC Subnet > > type=tunnel > > mark=1000 > > > > 4) > > Charon config > > cat /etc/strongswan.d/charon.conf > > # Options for the charon IKE daemon. > > # Do not install routes, otherwise you'll need to 'ip route del table 220 > default' for VTI routing to work > > charon { > > install_routes = no > > install_virtual_ip = no > > make_before_break = yes > > delete_rekeyed_delay = 10 > > } > > > Are there any special configs that will not disrupt the data payload > traffic during the ikev2 rekeying ? > > Best, > Vick > > > > > > > >