Re: [strongSwan] IPSEC IKEv2 disconnecting after ~8 hours - Windows 10 Client

Ed Hunter Tue, 18 Jan 2022 23:32:05 -0800

Hello Tobias,

Thank you for the link. I did have rekey=no before i changed my config and 
while i could see the tunnel rekeying, after a couple minutes the windows 
client would disconnect. I did only have rekey=no and not reauth though. These 
are the logs and config ->



conn VPN_XX _xxxx
      keyexchange=ikev2
      ike=aes256-sha1-modp1024,aes256-sha256-modp2048!
      esp=aes256-sha1,aes256-sha256-modp2048!
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=1.1.1.1
      leftsubnet=0.0.0.0/0
      leftauth=pubkey
      leftcert=VPN-gateway.pem.rsa
      leftid="C=XX, ST=XXXX, L=XXXX, O=XXXXX., OU=XXX, CN=XXXX.XXXX.XXXX"
      right=%any
      rightdns=192.168.132.1,192.168.129.254
      rightsourceip=192.168.148.64/27
      rightgroups=x...@xxxxx.xxxx<mailto:rightgroups=x...@xxxxx.xxxx>
      rightauth=eap-radius
      eap_identity=%identity
      auto=add




Jan 18 14:15:46 gateway charon: 10[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (348 bytes)
Jan 18 14:15:46 gateway charon: 10[ENC] parsed CREATE_CHILD_SA request 23 [ 
N(REKEY_SA) SA No TSi TSr ]
Jan 18 14:15:46 gateway charon: 10[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jan 18 14:15:46 gateway charon: 10[IKE] inbound CHILD_SA VPN_XX_xxxx{106878} 
established with SPIs cd654f29_i 499da7a6_o and TS 0.
0.0.0/0 === 192.168.148.65/32
Jan 18 14:15:46 gateway charon: 10[ENC] generating CREATE_CHILD_SA response 23 
[ SA No TSi TSr ]
Jan 18 14:15:46 gateway charon: 10[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (204 bytes)
Jan 18 14:15:46 gateway charon: 13[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (76 bytes)
Jan 18 14:15:46 gateway charon: 13[ENC] parsed INFORMATIONAL request 24 [ D ]
Jan 18 14:15:46 gateway charon: 13[IKE] received DELETE for ESP CHILD_SA with 
SPI b067bbf4
Jan 18 14:15:46 gateway charon: 13[IKE] closing CHILD_SA VPN_XX_xxxx{106779} 
with SPIs c1ce1b3a_i (36620023 bytes) b067bbf4_o (192
63998 bytes) and TS 0.0.0.0/0 === 192.168.148.65/32
Jan 18 14:15:46 gateway charon: 13[IKE] sending DELETE for ESP CHILD_SA with 
SPI c1ce1b3a
Jan 18 14:15:46 gateway charon: 13[IKE] CHILD_SA closed
Jan 18 14:15:46 gateway charon: 13[IKE] outbound CHILD_SA VPN_XX_xxxx{106878} 
established with SPIs cd654f29_i 499da7a6_o and TS 0
.0.0.0/0 === 192.168.148.65/32
Jan 18 14:15:46 gateway charon: 13[ENC] generating INFORMATIONAL response 24 [ 
D ]
Jan 18 14:15:46 gateway charon: 13[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (76 bytes)


Jan 18 14:25:45 gateway charon: 07[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (576 bytes)
Jan 18 14:25:45 gateway charon: 07[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(1/2) ]
Jan 18 14:25:45 gateway charon: 07[ENC] received fragment #1 of 2, waiting for 
complete IKE message
Jan 18 14:25:45 gateway charon: 06[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (80 bytes)
Jan 18 14:25:45 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(2/2) ]
Jan 18 14:25:45 gateway charon: 06[ENC] received fragment #2 of 2, reassembled 
fragmented IKE message (572 bytes)
Jan 18 14:25:45 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ SA 
KE No N(FRAG_SUP) ]
Jan 18 14:25:45 gateway charon: 06[IKE] 2.2.2.2 is initiating an IKE_SA
Jan 18 14:25:45 gateway charon: 06[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 18 14:25:45 gateway charon: 06[IKE] IKE_SA VPN_XX_xxxx[72723] rekeyed 
between 1.1.1.1[C=xx, ST=xxxx, L=xxxx, O=xxxx, OU=xx, CN=xxxx.xxxx.xxxx, E=xx@x]
quaredfinancial.com]...2.2.2.2[192.168.10.2]
Jan 18 14:25:45 gateway charon: 06[ENC] generating CREATE_CHILD_SA response 25 
[ SA No KE ]
Jan 18 14:25:45 gateway charon: 06[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (300 bytes)

Jan 18 14:25:46 gateway charon: 09[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (576 bytes)
Jan 18 14:25:46 gateway charon: 09[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(1/2) ]
Jan 18 14:25:46 gateway charon: 09[ENC] received fragment #1 of 2, waiting for 
complete IKE message
Jan 18 14:25:46 gateway charon: 05[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (80 bytes)
Jan 18 14:25:46 gateway charon: 05[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(2/2) ]
Jan 18 14:25:46 gateway charon: 05[ENC] received fragment #2 of 2, reassembled 
fragmented IKE message (572 bytes)
Jan 18 14:25:46 gateway charon: 05[ENC] parsed CREATE_CHILD_SA request 25 [ SA 
KE No N(FRAG_SUP) ]
Jan 18 14:25:46 gateway charon: 05[IKE] received retransmit of request with ID 
25, retransmitting response
Jan 18 14:25:46 gateway charon: 05[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (300 bytes)
Jan 18 14:25:47 gateway charon: 04[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (576 bytes)
Jan 18 14:25:47 gateway charon: 04[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(1/2) ]
Jan 18 14:25:47 gateway charon: 04[ENC] received fragment #1 of 2, waiting for 
complete IKE message
Jan 18 14:25:47 gateway charon: 13[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (80 bytes)
Jan 18 14:25:47 gateway charon: 13[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(2/2) ]
Jan 18 14:25:47 gateway charon: 13[ENC] received fragment #2 of 2, reassembled 
fragmented IKE message (572 bytes)
Jan 18 14:25:47 gateway charon: 13[ENC] parsed CREATE_CHILD_SA request 25 [ SA 
KE No N(FRAG_SUP) ]
Jan 18 14:25:47 gateway charon: 13[IKE] received retransmit of request with ID 
25, retransmitting response
Jan 18 14:25:47 gateway charon: 13[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (300 bytes)
Jan 18 14:25:50 gateway charon: 11[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (576 bytes)
Jan 18 14:25:50 gateway charon: 11[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(1/2) ]
Jan 18 14:25:50 gateway charon: 11[ENC] received fragment #1 of 2, waiting for 
complete IKE message
Jan 18 14:25:50 gateway charon: 15[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (80 bytes)
Jan 18 14:25:50 gateway charon: 15[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(2/2) ]
Jan 18 14:25:50 gateway charon: 15[ENC] received fragment #2 of 2, reassembled 
fragmented IKE message (572 bytes)
Jan 18 14:25:50 gateway charon: 15[ENC] parsed CREATE_CHILD_SA request 25 [ SA 
KE No N(FRAG_SUP) ]
Jan 18 14:25:50 gateway charon: 15[IKE] received retransmit of request with ID 
25, retransmitting response
Jan 18 14:25:50 gateway charon: 15[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (300 bytes)
Jan 18 14:25:58 gateway charon: 08[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (576 bytes)
Jan 18 14:25:58 gateway charon: 08[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(1/2) ]
Jan 18 14:25:58 gateway charon: 08[ENC] received fragment #1 of 2, waiting for 
complete IKE message
Jan 18 14:25:58 gateway charon: 14[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (80 bytes)
Jan 18 14:25:58 gateway charon: 14[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(2/2) ]
Jan 18 14:25:58 gateway charon: 14[ENC] received fragment #2 of 2, reassembled 
fragmented IKE message (572 bytes)
Jan 18 14:25:58 gateway charon: 14[ENC] parsed CREATE_CHILD_SA request 25 [ SA 
KE No N(FRAG_SUP) ]
Jan 18 14:25:58 gateway charon: 14[IKE] received retransmit of request with ID 
25, retransmitting response
Jan 18 14:25:58 gateway charon: 14[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (300 bytes)
Jan 18 14:26:12 gateway charon: 07[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (576 bytes)
Jan 18 14:26:12 gateway charon: 07[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(1/2) ]
Jan 18 14:26:12 gateway charon: 07[ENC] received fragment #1 of 2, waiting for 
complete IKE message
Jan 18 14:26:12 gateway charon: 06[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (80 bytes)
Jan 18 14:26:12 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(2/2) ]
Jan 18 14:26:12 gateway charon: 06[ENC] received fragment #2 of 2, reassembled 
fragmented IKE message (572 bytes)
Jan 18 14:26:12 gateway charon: 06[ENC] parsed CREATE_CHILD_SA request 25 [ SA 
KE No N(FRAG_SUP) ]
Jan 18 14:26:12 gateway charon: 06[IKE] received retransmit of request with ID 
25, retransmitting response
Jan 18 14:26:12 gateway charon: 06[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (300 bytes)
Jan 18 14:26:40 gateway charon: 04[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (576 bytes)
Jan 18 14:26:40 gateway charon: 04[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(1/2) ]
Jan 18 14:26:40 gateway charon: 04[ENC] received fragment #1 of 2, waiting for 
complete IKE message
Jan 18 14:26:40 gateway charon: 08[NET] received packet: from 2.2.2.2[4500] to 
1.1.1.1[4500] (80 bytes)
Jan 18 14:26:40 gateway charon: 08[ENC] parsed CREATE_CHILD_SA request 25 [ 
EF(2/2) ]
Jan 18 14:26:40 gateway charon: 08[ENC] received fragment #2 of 2, reassembled 
fragmented IKE message (572 bytes)
Jan 18 14:26:40 gateway charon: 08[ENC] parsed CREATE_CHILD_SA request 25 [ SA 
KE No N(FRAG_SUP) ]
Jan 18 14:26:40 gateway charon: 08[IKE] received retransmit of request with ID 
25, retransmitting response
Jan 18 14:26:40 gateway charon: 08[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (300 bytes)


Jan 18 14:35:38 gateway charon: 04[IKE] retransmit 1 of request with message ID 0
Jan 18 14:35:38 gateway charon: 04[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (76 bytes)

Jan 18 14:35:45 gateway charon: 09[IKE] retransmit 2 of request with message ID 0
Jan 18 14:35:45 gateway charon: 09[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (76 bytes)

Jan 18 14:35:58 gateway charon: 14[IKE] retransmit 3 of request with message ID 0
Jan 18 14:35:58 gateway charon: 14[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (76 bytes)

Jan 18 14:36:22 gateway charon: 13[IKE] retransmit 4 of request with message ID 0
Jan 18 14:36:22 gateway charon: 13[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (76 bytes)

Jan 18 14:37:04 gateway charon: 12[IKE] retransmit 5 of request with message ID 0
Jan 18 14:37:04 gateway charon: 12[NET] sending packet: from 1.1.1.1[4500] to 
2.2.2.2[4500] (76 bytes)



Jan 18 14:38:19 gateway charon: 13[IKE] giving up after 5 retransmits
Jan 18 14:38:19 gateway charon: 13[IKE] proper IKE_SA delete failed, peer not 
responding
Jan 18 14:38:19 gateway charon: 13[CFG] lease 192.168.148.65 by 
'DOMAIN_X\user1' went offline


The weird thing is, if i force the rekey with stroke, it works ok..

I added reauth=no to the config now. Lets see if it rekeys.

Thanks.



On 17 Jan 2022, at 15:50, Tobias Brunner <tob...@strongswan.org> wrote:

Hi Ed,

I did change ikelifetime to 360m (6 hrs) but i am still having issues. Could 
that still be the cipher?

No, you want to disable reauthentication (reauth=no) so the IKE_SA is actually 
rekeyed to avoid this error:

These are the logs after modifying ikelifetime so thst the strongswan server 
initiates the rekey before windows ->
   charon: 06[IKE] initiator did not reauthenticate as requested____

   charon: 06[IKE] IKE_SA VPN_x_xxxx[71277] will timeout in 3 minutes____

A related ticket can be found at [1].

Regards,
Tobias

[1] https://wiki.strongswan.org/issues/3400

Re: [strongSwan] IPSEC IKEv2 disconnecting after ~8 hours - Windows 10 Client

Reply via email to