Hello: I have a bunch of teltonica routers RUT-950 model, that are running strongswan v 5.6.2. The RUT-950 are simultaneously connecting to two separate Cisco 4431 IOS based routers using ikev2 with asymmetric keys. I am running GRE tunnels inside the IPSec tunnels.
In general the system works fine, but from time to time I get this: root@CORS235:~# ipsec status Security Associations (3 up, 0 connecting): SOICCMP[16]: ESTABLISHED 21 minutes ago, 192.168.29.161[CORS235]...A.B.C.D[CC2router] SOICCMP{18}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cd269609_i 45768b65_o SOICCMP{18}: 3.3.2.235/32 === 1.1.1.12/32 SOICC[15]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter] SOICC{17}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e00659_i 76c9b21a_o SOICC{17}: 2.2.2.235/32 === 1.1.1.10/32 SOICC[14]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter] SOICC{16}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce8a8edb_i caf6788d_o SOICC{16}: 2.2.2.235/32 === 1.1.1.10/32 In this case the connection to SOICCMP works fine but the tunnel with two SAs SOICC has no connectivity. I have tried this option: reauth=no. That didn't work. My thinking was that the rekeying was happening simultaneously from the Strongswan end and the Cisco end so I removed the above option and tried this: conn %default margintime=9m rekeyfuzz=100% But that didn't fix it either. An "ipsec restart" fixes it and everything comes up right. Is there a way to work around this so that I don't have to connect to the router and issue and ipsec restart? Here is the strongswan config with the IP addresses removed: conn SOICCMP leftid=keyid:CORS235 leftauth=psk rightauth=psk leftsubnet=3.3.2.235/32 right=B.C.D.E rightid=keyid:CC2router keyexchange=ikev2 authby=secret leftfirewall=yes rightfirewall=no auto=start type=tunnel aggressive=no dpdaction=restart dpddelay=30 dpdtimeout=30 forceencaps=no keyingtries=%forever ike=aes256-sha256-modp2048 ikelifetime=5h esp=aes256-sha256-modp2048 keylife=4h rightsubnet=1.1.1.12/32 Cheers, john -- John Edward Serink Product Applications Engineer, Advanced Positioning Trimble Navigation Singapore PTE Ltd. 3 Harbourfront Place, #13-02 Harbourfrout Tower Two, Co. Reg. No. 199204958W Singapore 099254 Tel 65-6871-5878 Fax 65-6871-5879 DID 65-6871-5873 HP 65-9129-4250 Skype: johnserink