Hi Noel: Sorry for the late response, I made the pediatric mistake of not checking my spam folder....sigh.
I'm checking a few things and will come back to you. Cheers, John On Sun, 2022-03-06 at 02:01 +0100, Noel Kuntze wrote: > Hello John, > > It only makes sense to look at it with debug level logs, as shown on the > HelpRequests[1] > page. > Speculation will not help much. > > Kind regards > Noel > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests > > Am 05.03.22 um 05:05 schrieb John Serink: > > Hello: > > > > I have a bunch of teltonica routers RUT-950 model, that are running > > strongswan v 5.6.2. > > The RUT-950 are simultaneously connecting to two separate Cisco 4431 IOS > > based routers > > using > > ikev2 with asymmetric keys. I am running GRE tunnels inside the IPSec > > tunnels. > > > > In general the system works fine, but from time to time I get this: > > root@CORS235:~# ipsec status > > Security Associations (3 up, 0 connecting): > > SOICCMP[16]: ESTABLISHED 21 minutes ago, > > 192.168.29.161[CORS235]...A.B.C.D[CC2router] > > SOICCMP{18}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cd269609_i > > 45768b65_o > > SOICCMP{18}: 3.3.2.235/32 === 1.1.1.12/32 > > SOICC[15]: ESTABLISHED 37 minutes ago, > > 192.168.29.161[CORS235]...C.D.E.F[CCrouter] > > SOICC{17}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e00659_i > > 76c9b21a_o > > SOICC{17}: 2.2.2.235/32 === 1.1.1.10/32 > > SOICC[14]: ESTABLISHED 37 minutes ago, > > 192.168.29.161[CORS235]...C.D.E.F[CCrouter] > > SOICC{16}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce8a8edb_i > > caf6788d_o > > SOICC{16}: 2.2.2.235/32 === 1.1.1.10/32 > > > > In this case the connection to SOICCMP works fine but the tunnel with two > > SAs SOICC has no > > connectivity. > > > > I have tried this option: > > reauth=no. > > > > That didn't work. > > > > My thinking was that the rekeying was happening simultaneously from the > > Strongswan end and > > the > > Cisco end so I removed the above option and tried this: > > conn %default > > margintime=9m > > rekeyfuzz=100% > > > > But that didn't fix it either. > > > > An "ipsec restart" fixes it and everything comes up right. > > > > Is there a way to work around this so that I don't have to connect to the > > router and issue > > and > > ipsec restart? > > > > Here is the strongswan config with the IP addresses removed: > > conn SOICCMP > > leftid=keyid:CORS235 > > leftauth=psk > > rightauth=psk > > leftsubnet=3.3.2.235/32 > > right=B.C.D.E > > rightid=keyid:CC2router > > keyexchange=ikev2 > > authby=secret > > leftfirewall=yes > > rightfirewall=no > > auto=start > > type=tunnel > > aggressive=no > > dpdaction=restart > > dpddelay=30 > > dpdtimeout=30 > > forceencaps=no > > keyingtries=%forever > > ike=aes256-sha256-modp2048 > > ikelifetime=5h > > esp=aes256-sha256-modp2048 > > keylife=4h > > rightsubnet=1.1.1.12/32 > > > > Cheers, > > john > > > >
