Project

General

Profile

Issue #3424

IPSec will disconnect after one night

Added by ray chao about 1 month ago. Updated 26 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
configuration
Affected version:
5.8.1
Resolution:
No change required

Description

Test Step: Create the IPSec tunnel between device

Actually Result: IPSec tunnel disconnect after one night

Expected Result: IPSec tunnel should keep connective until manual close the function

Linux strongSwan U5.8.1/K4.14.76-15.0.0
University of Applied Sciences Rapperswil, Switzerland

ipsec.conf two device is the same setting,Only left and right option exchange.

config setup
conn test
 aggressive=no
 authby=secret
 left=10.10.10.10
 right=10.10.10.13
 leftsubnet=192.168.127.0/24
 rightsubnet=192.168.128.0/24
 type=tunnel
 esp=aes128-sha2_256-modp2048
 rekeymargin=9m
 rekeyfuzz=100%
 keyingtries=%forever
 keyexchange=ikev1
 ikelifetime=1h
 keylife=0m
 ike=aes128-sha2_256-modp2048
 auto=add
 dpddelay=30
 dpdtimeout=120
 dpdaction=hold
conn any_wan0
 left=10.10.10.10
 leftsourceip=10.10.10.10
 right=%any

When after a while (not sure how long it has actually passed), it will be disconnected.When restart the ipsec service the connection will re-connection.
Matbe somebody have any suggestions to track this issue?
I ’m afraid when i open log message the amount of information is too large due to device space full.

left.log (33 KB) left.log ray chao, 24.04.2020 12:56
right.log (37.1 KB) right.log ray chao, 24.04.2020 12:56

History

#1 Updated by ray chao about 1 month ago

attach the ipsec statusall log message.

#2 Updated by Noel Kuntze about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Assignee set to Noel Kuntze

Hello,

Please create a debug log as shown on the HelpRequests page and attach it to the issue.
There seems to be a problem with QuickMode requests being queued up.

Also, please use IKEv2. There's no reason for using IKEv1 between strongSwan setups. Your conn any_wan0 also doesn't make sense. leftsourceip and rightsourceip are for requesting and assigning "virtual" IPs.

#3 Updated by ray chao 26 days ago

The root cause is the keylife rekey time set to a invalid value.
Thanks for your support,this issue state can be change to close,thanks.

#4 Updated by Tobias Brunner 26 days ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF