Project

General

Profile

Issue #3475

Strongswan tunnel disconnects once a month

Added by Edvinas Kaikaris 5 months ago. Updated 28 days ago.

Status:
Closed
Priority:
Normal
Category:
ikev1
Affected version:
5.7.2
Resolution:
No feedback

Description

host:1

Config:

conn net-dcvpnl02ny2
    left=37.37.37.37
    leftsubnet=37.37.37.37/32[gre]
    rightsubnet=185.185.185.185/32[gre]
    leftfirewall=no
    ike=aes-sha1-modp1024
    esp=aes128gcm16-modp1024
    right=185.185.185.185
    type=tunnel
    authby=psk
    auto=start
    keyexchange=ikev1

Logs on event:

Jun  7 22:46:22 [localhost] charon: 15[IKE] initiating Main Mode IKE_SA net-dcvpnl02ny2[5828] to 185.185.185.185
Jun  7 22:46:22 [localhost] charon: 15[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (240 bytes)
Jun  7 22:46:22 [localhost] charon: 12[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (240 bytes)
Jun  7 22:46:22 [localhost] charon: 12[IKE] 185.185.185.185 is initiating a Main Mode IKE_SA
Jun  7 22:46:22 [localhost] charon: 12[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (160 bytes)
Jun  7 22:46:22 [localhost] charon: 08[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (160 bytes)
Jun  7 22:46:22 [localhost] charon: 08[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:46:22 [localhost] charon: 04[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:46:22 [localhost] charon: 04[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:46:22 [localhost] charon: 11[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:46:22 [localhost] charon: 11[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:46:23 [localhost] charon: 06[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:46:23 [localhost] strongswan: 15[IKE] initiating Main Mode IKE_SA net-dcvpnl02ny2[5828] to 185.185.185.185
Jun  7 22:46:23 [localhost] strongswan: 15[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (240 bytes)
Jun  7 22:46:23 [localhost] strongswan: 12[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (240 bytes)
Jun  7 22:46:23 [localhost] strongswan: 12[IKE] 185.185.185.185 is initiating a Main Mode IKE_SA
Jun  7 22:46:23 [localhost] strongswan: 12[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (160 bytes)
Jun  7 22:46:23 [localhost] strongswan: 08[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (160 bytes)
Jun  7 22:46:23 [localhost] charon: 06[CFG] looking for pre-shared key peer configs matching 37.37.37.37...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] strongswan: 08[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:46:23 [localhost] strongswan: 04[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:46:23 [localhost] strongswan: 04[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:46:23 [localhost] strongswan: 11[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:46:23 [localhost] strongswan: 11[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:46:23 [localhost] strongswan: 06[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:46:23 [localhost] strongswan: 06[CFG] looking for pre-shared key peer configs matching 37.37.37.37...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] strongswan: 06[IKE] schedule delete of duplicate IKE_SA for peer '185.185.185.185' due to uniqueness policy and suspected reauthentication
Jun  7 22:46:23 [localhost] strongswan: 06[IKE] IKE_SA net-dcvpnl02ny2[5829] established between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] strongswan: 06[CFG] detected duplicate IKE_SA for '185.185.185.185', triggering delete for old IKE_SA
Jun  7 22:46:23 [localhost] strongswan: 06[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:46:23 [localhost] strongswan: 06[IKE] deleting IKE_SA net-dcvpnl02ny2[5820] between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] strongswan: 06[CFG] delete for duplicate IKE_SA '185.185.185.185' timed out, keeping new IKE_SA
Jun  7 22:46:23 [localhost] charon: 06[IKE] schedule delete of duplicate IKE_SA for peer '185.185.185.185' due to uniqueness policy and suspected reauthentication
Jun  7 22:46:23 [localhost] charon: 06[IKE] IKE_SA net-dcvpnl02ny2[5829] established between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] charon: 06[CFG] detected duplicate IKE_SA for '185.185.185.185', triggering delete for old IKE_SA
Jun  7 22:46:23 [localhost] charon: 06[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:46:23 [localhost] charon: 06[IKE] deleting IKE_SA net-dcvpnl02ny2[5820] between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] charon: 06[CFG] delete for duplicate IKE_SA '185.185.185.185' timed out, keeping new IKE_SA
Jun  7 22:46:23 [localhost] charon: 06[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (92 bytes)
Jun  7 22:46:23 [localhost] charon: 05[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:46:23 [localhost] charon: 05[IKE] schedule delete of duplicate IKE_SA for peer '185.185.185.185' due to uniqueness policy and suspected reauthentication
Jun  7 22:46:23 [localhost] charon: 05[IKE] IKE_SA net-dcvpnl02ny2[5828] established between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] charon: 05[CFG] detected duplicate IKE_SA for '185.185.185.185', triggering delete for old IKE_SA
Jun  7 22:46:23 [localhost] charon: 10[IKE] deleting IKE_SA net-dcvpnl02ny2[5829] between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:46:23 [localhost] charon: 10[CFG] delete for duplicate IKE_SA '185.185.185.185' timed out, keeping new IKE_SA
Jun  7 22:46:23 [localhost] charon: 10[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (92 bytes)
Jun  7 22:46:23 [localhost] charon: 13[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (92 bytes)
Jun  7 22:46:23 [localhost] charon: 13[IKE] deleting IKE_SA net-dcvpnl02ny2[5828] between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:53:15 [localhost] strongswan: 06[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (92 bytes)
Jun  7 22:53:15 [localhost] strongswan: 05[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:53:15 [localhost] strongswan: 05[IKE] schedule delete of duplicate IKE_SA for peer '185.185.185.185' due to uniqueness policy and suspected reauthentication
Jun  7 22:53:15 [localhost] strongswan: 05[IKE] IKE_SA net-dcvpnl02ny2[5828] established between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:53:15 [localhost] strongswan: 05[CFG] detected duplicate IKE_SA for '185.185.185.185', triggering delete for old IKE_SA
Jun  7 22:53:15 [localhost] strongswan: 10[IKE] deleting IKE_SA net-dcvpnl02ny2[5829] between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]
Jun  7 22:53:15 [localhost] strongswan: 10[CFG] delete for duplicate IKE_SA '185.185.185.185' timed out, keeping new IKE_SA
Jun  7 22:53:15 [localhost] strongswan: 10[NET] sending packet: from 37.37.37.37[500] to 185.185.185.185[500] (92 bytes)
Jun  7 22:53:15 [localhost] strongswan: 13[NET] received packet: from 185.185.185.185[500] to 37.37.37.37[500] (92 bytes)
Jun  7 22:53:15 [localhost] strongswan: 13[IKE] deleting IKE_SA net-dcvpnl02ny2[5828] between 37.37.37.37[37.37.37.37]...185.185.185.185[185.185.185.185]

host:2

Config:

conn net-dcvpnl01itx
    left=185.185.185.185
    leftsubnet=185.185.185.185/32[gre]
    rightsubnet=37.37.37.37/32[gre]
    leftfirewall=no
    ike=aes-sha1-modp1024
    esp=aes128gcm16-modp1024
    right=37.37.37.37
    type=tunnel
    authby=psk
    auto=start
    keyexchange=ikev1

Log on event:

Jun  7 22:46:22 dcvpnl002prpny2 charon: 07[IKE] initiating Main Mode IKE_SA net-dcvpnl01itx[6695] to 37.37.37.37
Jun  7 22:46:22 dcvpnl002prpny2 charon: 07[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (240 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 charon: 14[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (240 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 charon: 14[IKE] 37.37.37.37 is initiating a Main Mode IKE_SA
Jun  7 22:46:22 dcvpnl002prpny2 charon: 14[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (160 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 charon: 10[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (160 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 strongswan: 07[IKE] initiating Main Mode IKE_SA net-dcvpnl01itx[6695] to 37.37.37.37
Jun  7 22:46:22 dcvpnl002prpny2 strongswan: 07[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (240 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 strongswan: 14[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (240 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 strongswan: 14[IKE] 37.37.37.37 is initiating a Main Mode IKE_SA
Jun  7 22:46:22 dcvpnl002prpny2 strongswan: 14[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (160 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 charon: 10[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 charon: 15[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:46:22 dcvpnl002prpny2 charon: 15[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 12[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 12[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[CFG] looking for pre-shared key peer configs matching 185.185.185.185...37.37.37.37[37.37.37.37]
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[IKE] schedule delete of duplicate IKE_SA for peer '37.37.37.37' due to uniqueness policy and suspected reauthentication
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[IKE] IKE_SA net-dcvpnl01itx[6696] established between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[CFG] detected duplicate IKE_SA for '37.37.37.37', triggering delete for old IKE_SA
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[IKE] deleting IKE_SA net-dcvpnl01itx[6686] between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[CFG] delete for duplicate IKE_SA '37.37.37.37' timed out, keeping new IKE_SA
Jun  7 22:46:23 dcvpnl002prpny2 charon: 09[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (92 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 13[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 13[IKE] schedule delete of duplicate IKE_SA for peer '37.37.37.37' due to uniqueness policy and suspected reauthentication
Jun  7 22:46:23 dcvpnl002prpny2 charon: 13[IKE] IKE_SA net-dcvpnl01itx[6695] established between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:46:23 dcvpnl002prpny2 charon: 13[CFG] detected duplicate IKE_SA for '37.37.37.37', triggering delete for old IKE_SA
Jun  7 22:46:23 dcvpnl002prpny2 charon: 16[IKE] deleting IKE_SA net-dcvpnl01itx[6696] between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:46:23 dcvpnl002prpny2 charon: 16[CFG] delete for duplicate IKE_SA '37.37.37.37' timed out, keeping new IKE_SA
Jun  7 22:46:23 dcvpnl002prpny2 charon: 16[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (92 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 11[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (92 bytes)
Jun  7 22:46:23 dcvpnl002prpny2 charon: 11[IKE] deleting IKE_SA net-dcvpnl01itx[6695] between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 10[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (160 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 10[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 15[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 15[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (244 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 12[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (244 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 12[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[CFG] looking for pre-shared key peer configs matching 185.185.185.185...37.37.37.37[37.37.37.37]
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[IKE] schedule delete of duplicate IKE_SA for peer '37.37.37.37' due to uniqueness policy and suspected reauthentication
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[IKE] IKE_SA net-dcvpnl01itx[6696] established between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[CFG] detected duplicate IKE_SA for '37.37.37.37', triggering delete for old IKE_SA
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (76 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[IKE] deleting IKE_SA net-dcvpnl01itx[6686] between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[CFG] delete for duplicate IKE_SA '37.37.37.37' timed out, keeping new IKE_SA
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 09[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (92 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 13[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (76 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 13[IKE] schedule delete of duplicate IKE_SA for peer '37.37.37.37' due to uniqueness policy and suspected reauthentication
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 13[IKE] IKE_SA net-dcvpnl01itx[6695] established between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 13[CFG] detected duplicate IKE_SA for '37.37.37.37', triggering delete for old IKE_SA
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 16[IKE] deleting IKE_SA net-dcvpnl01itx[6696] between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 16[CFG] delete for duplicate IKE_SA '37.37.37.37' timed out, keeping new IKE_SA
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 16[NET] sending packet: from 185.185.185.185[500] to 37.37.37.37[500] (92 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 11[NET] received packet: from 37.37.37.37[500] to 185.185.185.185[500] (92 bytes)
Jun  7 22:47:09 dcvpnl002prpny2 strongswan: 11[IKE] deleting IKE_SA net-dcvpnl01itx[6695] between 185.185.185.185[185.185.185.185]...37.37.37.37[37.37.37.37]

After i do strongswan up net-dcvpnl01itx it usually goes up and stays the same for months.

Somewhere i have read, in this forum that on IKEv1 it could be due to "auto=start" config option on both side, is it worth to try to change one side to auto=add and other one left to "auto=start" ?

Thank you.

History

#1 Updated by Tobias Brunner 5 months ago

  • Category set to ikev1
  • Status changed from New to Feedback

Maybe not directly related, but you probably don't want to use the duplicheck plugin (read what it does).

Somewhere i have read, in this forum that on IKEv1 it could be due to "auto=start" config option on both side, is it worth to try to change one side to auto=add and other one left to "auto=start" ?

Definitely possible that this causes such issues.

But please NEVER use IKEv1 between two instances of strongSwan, that just doesn't make any sense. Use IKEv2.

#2 Updated by Tobias Brunner 28 days ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF