Issue #3683
IKEV2 connection fail to rekey process
Description
I make connection between two hosts with Strongswan 5.8.1 on both sides. I use IKE v.2 To increase rekey events,
I want to rekey exactly after 30 minutes,So I use lifetime params:
rekeymargin=0m rekeyfuzz=0% ikelifetime=30m keylife=480m
After the connection is successfully established,and After 30 minutes it did start the rekey action,but cann't establish success.
my configuration is ipsec.conf:
config setup conn test aggressive=no authby=secret left=10.10.10.10 right=10.10.10.11 leftsubnet=192.168.127.0/24 rightsubnet=192.168.128.0/24 type=tunnel esp=3des-sha2_256 rekeymargin=0m rekeyfuzz=0% keyingtries=%forever keyexchange=ikev2 ikelifetime=30m keylife=480m ike=3des-sha2_256-modp1024 auto=start conn any_wan0 left=10.10.10.10 leftsourceip=10.10.10.10 right=%any
config setup conn test aggressive=no authby=secret left=10.10.10.11 right=10.10.10.10 leftsubnet=192.168.128.0/24 rightsubnet=192.168.127.0/24 type=tunnel esp=3des-sha2_256 rekeymargin=0m rekeyfuzz=0% keyingtries=%forever keyexchange=ikev2 ikelifetime=30m keylife=480m ike=3des-sha2_256-modp1024 auto=start dpddelay=0 dpdtimeout=0 dpdaction=hold conn any_wan0 left=10.10.10.11 leftsourceip=10.10.10.11 right=%any
I got this result in both peers:
There have some message "IKE_SA to rekey not found", "IKE_SA checkout not successful"
Is there error setting in the rekey option?
Jan 28 12:17:16 01[JOB] got event, queuing job for execution Jan 28 12:17:16 01[JOB] got event, queuing job for execution Jan 28 12:17:16 01[JOB] next event in 3s 408ms, waiting Jan 28 12:17:16 11[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r Jan 28 12:17:16 11[MGR] IKE_SA checkout not successful Jan 28 12:17:16 04[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r Jan 28 12:17:16 04[MGR] IKE_SA checkout not successful Jan 28 12:17:16 11[JOB] IKE_SA to rekey not found Jan 28 12:17:19 02[NET] received packet: from 10.10.10.10[4500] to 10.10.10.11[4500] Jan 28 12:17:19 02[ENC] parsing header of message Jan 28 12:17:19 02[ENC] parsing HEADER payload, 72 bytes left Jan 28 12:17:19 02[ENC] parsing rule 0 IKE_SPI Jan 28 12:17:19 02[ENC] parsing rule 1 IKE_SPI Jan 28 12:17:19 02[ENC] parsing rule 2 U_INT_8 Jan 28 12:17:19 02[ENC] parsing rule 3 U_INT_4 Jan 28 12:17:19 02[ENC] parsing rule 4 U_INT_4 Jan 28 12:17:19 02[ENC] parsing rule 5 U_INT_8 Jan 28 12:17:19 02[ENC] parsing rule 6 RESERVED_BIT Jan 28 12:17:19 02[ENC] parsing rule 7 RESERVED_BIT Jan 28 12:17:19 02[ENC] parsing rule 8 FLAG Jan 28 12:17:19 02[ENC] parsing rule 9 FLAG Jan 28 12:17:19 02[ENC] parsing rule 10 FLAG Jan 28 12:17:19 02[ENC] parsing rule 11 FLAG Jan 28 12:17:19 02[ENC] parsing rule 12 FLAG Jan 28 12:17:19 02[ENC] parsing rule 13 FLAG Jan 28 12:17:19 02[ENC] parsing rule 14 U_INT_32 Jan 28 12:17:19 02[ENC] parsing rule 15 HEADER_LENGTH Jan 28 12:17:19 02[ENC] parsing HEADER payload finished Jan 28 12:17:19 02[ENC] parsed a INFORMATIONAL request header Jan 28 12:17:19 02[NET] waiting for data on sockets Jan 28 12:17:19 09[MGR] checkout IKEv2 SA by message with SPIs 6818ea1f5dcee434_i b93147c42996e966_r Jan 28 12:17:19 09[MGR] IKE_SA test[1] successfully checked out Jan 28 12:17:19 09[NET] <test|1> received packet: from 10.10.10.10[4500] to 10.10.10.11[4500] (72 bytes) Jan 28 12:17:19 09[ENC] <test|1> parsing body of message, first payload is ENCRYPTED Jan 28 12:17:19 09[ENC] <test|1> starting parsing a ENCRYPTED payload Jan 28 12:17:19 09[ENC] <test|1> parsing ENCRYPTED payload, 44 bytes left Jan 28 12:17:19 09[ENC] <test|1> parsing rule 0 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> parsing rule 1 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> parsing rule 2 PAYLOAD_LENGTH Jan 28 12:17:19 09[ENC] <test|1> parsing rule 3 CHUNK_DATA Jan 28 12:17:19 09[ENC] <test|1> parsing ENCRYPTED payload finished Jan 28 12:17:19 09[ENC] <test|1> verifying payload of type ENCRYPTED Jan 28 12:17:19 09[ENC] <test|1> ENCRYPTED payload verified, adding to payload list Jan 28 12:17:19 09[ENC] <test|1> ENCRYPTED payload found, stop parsing Jan 28 12:17:19 09[ENC] <test|1> process payload of type ENCRYPTED Jan 28 12:17:19 09[ENC] <test|1> found an encrypted payload Jan 28 12:17:19 09[ENC] <test|1> parsing DELETE payload, 8 bytes left Jan 28 12:17:19 09[ENC] <test|1> parsing rule 0 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> parsing rule 1 FLAG Jan 28 12:17:19 09[ENC] <test|1> parsing rule 2 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> parsing rule 3 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> parsing rule 4 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> parsing rule 5 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> parsing rule 6 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> parsing rule 7 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> parsing rule 8 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> parsing rule 9 PAYLOAD_LENGTH Jan 28 12:17:19 09[ENC] <test|1> parsing rule 10 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> parsing rule 11 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> parsing rule 12 U_INT_16 Jan 28 12:17:19 09[ENC] <test|1> parsing rule 13 CHUNK_DATA Jan 28 12:17:19 09[ENC] <test|1> parsing DELETE payload finished Jan 28 12:17:19 09[ENC] <test|1> parsed content of encrypted payload Jan 28 12:17:19 09[ENC] <test|1> insert decrypted payload of type DELETE at end of list Jan 28 12:17:19 09[ENC] <test|1> verifying message structure Jan 28 12:17:19 09[ENC] <test|1> found payload of type DELETE Jan 28 12:17:19 09[ENC] <test|1> parsed INFORMATIONAL request 0 [ D ] Jan 28 12:17:19 09[IKE] <test|1> received DELETE for IKE_SA test[1] Jan 28 12:17:19 09[IKE] <test|1> deleting IKE_SA test[1] between 10.10.10.11[10.10.10.11]...10.10.10.10[10.10.10.10] Jan 28 12:17:19 09[IKE] <test|1> IKE_SA test[1] state change: ESTABLISHED => DELETING Jan 28 12:17:19 09[IKE] <test|1> IKE_SA deleted Jan 28 12:17:19 09[ENC] <test|1> order payloads in message Jan 28 12:17:19 09[ENC] <test|1> generating INFORMATIONAL response 0 [ ] Jan 28 12:17:19 09[ENC] <test|1> generating payload of type HEADER Jan 28 12:17:19 09[ENC] <test|1> generating rule 0 IKE_SPI Jan 28 12:17:19 09[ENC] <test|1> generating rule 1 IKE_SPI Jan 28 12:17:19 09[ENC] <test|1> generating rule 2 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> generating rule 3 U_INT_4 Jan 28 12:17:19 09[ENC] <test|1> generating rule 4 U_INT_4 Jan 28 12:17:19 09[ENC] <test|1> generating rule 5 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> generating rule 6 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> generating rule 7 RESERVED_BIT Jan 28 12:17:19 09[ENC] <test|1> generating rule 8 FLAG Jan 28 12:17:19 09[ENC] <test|1> generating rule 9 FLAG Jan 28 12:17:19 09[ENC] <test|1> generating rule 10 FLAG Jan 28 12:17:19 09[ENC] <test|1> generating rule 11 FLAG Jan 28 12:17:19 09[ENC] <test|1> generating rule 12 FLAG Jan 28 12:17:19 09[ENC] <test|1> generating rule 13 FLAG Jan 28 12:17:19 09[ENC] <test|1> generating rule 14 U_INT_32 Jan 28 12:17:19 09[ENC] <test|1> generating rule 15 HEADER_LENGTH Jan 28 12:17:19 09[ENC] <test|1> generating HEADER payload finished Jan 28 12:17:19 09[ENC] <test|1> generating payload of type ENCRYPTED Jan 28 12:17:19 09[ENC] <test|1> generating rule 0 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> generating rule 1 U_INT_8 Jan 28 12:17:19 09[ENC] <test|1> generating rule 2 PAYLOAD_LENGTH Jan 28 12:17:19 09[ENC] <test|1> generating rule 3 CHUNK_DATA Jan 28 12:17:19 09[ENC] <test|1> generating ENCRYPTED payload finished Jan 28 12:17:19 09[NET] <test|1> sending packet: from 10.10.10.11[4500] to 10.10.10.10[4500] (64 bytes) Jan 28 12:17:19 09[MGR] <test|1> checkin and destroy IKE_SA test[1] Jan 28 12:17:19 03[NET] sending packet: from 10.10.10.11[4500] to 10.10.10.10[4500] Jan 28 12:17:19 09[IKE] <test|1> IKE_SA test[1] state change: DELETING => DESTROYING Jan 28 12:17:19 09[CHD] <test|1> CHILD_SA test{2} state change: INSTALLED => DESTROYING Jan 28 12:17:19 09[KNL] <test|1> deleting policy 192.168.128.0/24 === 192.168.127.0/24 out Jan 28 12:17:19 09[KNL] <test|1> getting iface index for WAN Jan 28 12:17:19 13[JOB] watched FD 13 ready to read Jan 28 12:17:19 13[JOB] watcher going to poll() 4 fds Jan 28 12:17:19 09[KNL] <test|1> deleting policy 192.168.127.0/24 === 192.168.128.0/24 in Jan 28 12:17:19 13[JOB] watcher got notification, rebuilding Jan 28 12:17:19 13[JOB] watcher going to poll() 5 fds Jan 28 12:17:19 09[KNL] <test|1> deleting policy 192.168.127.0/24 === 192.168.128.0/24 fwd Jan 28 12:17:19 09[KNL] <test|1> deleting SAD entry with SPI c87462d5 Jan 28 12:17:19 09[KNL] <test|1> deleted SAD entry with SPI c87462d5 Jan 28 12:17:19 09[KNL] <test|1> deleting SAD entry with SPI ca5207e9 Jan 28 12:17:19 09[KNL] <test|1> deleted SAD entry with SPI ca5207e9 Jan 28 12:17:19 09[MGR] checkin and destroy of IKE_SA successful Jan 28 12:17:19 01[JOB] got event, queuing job for execution Jan 28 12:17:19 01[JOB] got event, queuing job for execution Jan 28 12:17:19 01[JOB] no events, waiting Jan 28 12:17:19 12[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r Jan 28 12:17:19 12[MGR] IKE_SA checkout not successful Jan 28 12:17:19 12[JOB] *IKE_SA to rekey not found* Jan 28 12:17:19 14[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r Jan 28 12:17:19 14[MGR] IKE_SA checkout not successful Jan 28 12:17:23 13[JOB] watched FD 14 ready to read Jan 28 12:17:23 13[JOB] watcher going to poll() 4 fds Jan 28 12:17:23 13[JOB] watcher got notification, rebuilding Jan 28 12:17:23 13[JOB] watcher going to poll() 5 fds
Jan 28 12:16:00 01[JOB] got event, queuing job for execution Jan 28 12:16:00 01[JOB] got event, queuing job for execution Jan 28 12:16:00 07[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r Jan 28 12:16:00 01[JOB] next event in 3s 388ms, waiting Jan 28 12:16:00 07[MGR] IKE_SA checkout not successful Jan 28 12:16:00 04[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r Jan 28 12:16:00 07[JOB] IKE_SA to rekey not found Jan 28 12:16:00 04[MGR] IKE_SA checkout not successful Jan 28 12:16:04 01[JOB] got event, queuing job for execution Jan 28 12:16:04 01[JOB] got event, queuing job for execution Jan 28 12:16:04 01[JOB] no events, waiting Jan 28 12:16:04 13[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r Jan 28 12:16:04 13[MGR] IKE_SA test[2] successfully checked out Jan 28 12:16:04 13[IKE] <test|2> queueing IKE_DELETE task Jan 28 12:16:04 13[IKE] <test|2> activating new tasks Jan 28 12:16:04 13[IKE] <test|2> activating IKE_DELETE task Jan 28 12:16:04 13[IKE] <test|2> deleting IKE_SA test[2] between 10.10.10.10[10.10.10.10]...10.10.10.11[10.10.10.11] Jan 28 12:16:04 13[ENC] <test|2> added payload of type DELETE to message Jan 28 12:16:04 13[IKE] <test|2> IKE_SA test[2] state change: ESTABLISHED => DELETING Jan 28 12:16:04 12[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r Jan 28 12:16:04 13[IKE] <test|2> sending DELETE for IKE_SA test[2] Jan 28 12:16:04 13[ENC] <test|2> order payloads in message Jan 28 12:16:04 13[ENC] <test|2> added payload of type DELETE to message Jan 28 12:16:04 13[ENC] <test|2> generating INFORMATIONAL request 0 [ D ] Jan 28 12:16:04 13[ENC] <test|2> insert payload DELETE into encrypted payload Jan 28 12:16:04 13[ENC] <test|2> generating payload of type HEADER Jan 28 12:16:04 13[ENC] <test|2> generating rule 0 IKE_SPI Jan 28 12:16:04 13[ENC] <test|2> generating rule 1 IKE_SPI Jan 28 12:16:04 13[ENC] <test|2> generating rule 2 U_INT_8 Jan 28 12:16:04 13[ENC] <test|2> generating rule 3 U_INT_4 Jan 28 12:16:04 13[ENC] <test|2> generating rule 4 U_INT_4 Jan 28 12:16:04 13[ENC] <test|2> generating rule 5 U_INT_8 Jan 28 12:16:04 13[ENC] <test|2> generating rule 6 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 7 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 8 FLAG Jan 28 12:16:04 13[ENC] <test|2> generating rule 9 FLAG Jan 28 12:16:04 13[ENC] <test|2> generating rule 10 FLAG Jan 28 12:16:04 13[ENC] <test|2> generating rule 11 FLAG Jan 28 12:16:04 13[ENC] <test|2> generating rule 12 FLAG Jan 28 12:16:04 13[ENC] <test|2> generating rule 13 FLAG Jan 28 12:16:04 13[ENC] <test|2> generating rule 14 U_INT_32 Jan 28 12:16:04 13[ENC] <test|2> generating rule 15 HEADER_LENGTH Jan 28 12:16:04 13[ENC] <test|2> generating HEADER payload finished Jan 28 12:16:04 13[ENC] <test|2> generating payload of type DELETE Jan 28 12:16:04 13[ENC] <test|2> generating rule 0 U_INT_8 Jan 28 12:16:04 13[ENC] <test|2> generating rule 1 FLAG Jan 28 12:16:04 13[ENC] <test|2> generating rule 2 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 3 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 4 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 5 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 6 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 7 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 8 RESERVED_BIT Jan 28 12:16:04 13[ENC] <test|2> generating rule 9 PAYLOAD_LENGTH Jan 28 12:16:04 13[ENC] <test|2> generating rule 10 U_INT_8 Jan 28 12:16:04 13[ENC] <test|2> generating rule 11 U_INT_8 Jan 28 12:16:04 13[ENC] <test|2> generating rule 12 U_INT_16 Jan 28 12:16:04 13[ENC] <test|2> generating rule 13 CHUNK_DATA Jan 28 12:16:04 13[ENC] <test|2> generating DELETE payload finished Jan 28 12:16:04 13[ENC] <test|2> generated content in encrypted payload Jan 28 12:16:04 13[ENC] <test|2> generating payload of type ENCRYPTED Jan 28 12:16:04 13[ENC] <test|2> generating rule 0 U_INT_8 Jan 28 12:16:04 13[ENC] <test|2> generating rule 1 U_INT_8 Jan 28 12:16:04 13[ENC] <test|2> generating rule 2 PAYLOAD_LENGTH Jan 28 12:16:04 13[ENC] <test|2> generating rule 3 CHUNK_DATA Jan 28 12:16:04 13[ENC] <test|2> generating ENCRYPTED payload finished Jan 28 12:16:04 13[NET] <test|2> sending packet: from 10.10.10.10[4500] to 10.10.10.11[4500] (72 bytes) Jan 28 12:16:04 13[MGR] <test|2> checkin IKE_SA test[2] Jan 28 12:16:04 13[MGR] <test|2> checkin of IKE_SA successful Jan 28 12:16:04 10[NET] sending packet: from 10.10.10.10[4500] to 10.10.10.11[4500] Jan 28 12:16:04 01[JOB] next event in 3s 999ms, waiting Jan 28 12:16:04 12[MGR] IKE_SA test[2] successfully checked out Jan 28 12:16:04 12[IKE] <test|2> unable to reauthenticate in DELETING state, delaying for 13s Jan 28 12:16:04 12[MGR] <test|2> checkin IKE_SA test[2] Jan 28 12:16:04 12[MGR] <test|2> checkin of IKE_SA successful Jan 28 12:16:04 01[JOB] next event in 3s 999ms, waiting Jan 28 12:16:04 03[NET] received packet: from 10.10.10.11[4500] to 10.10.10.10[4500] Jan 28 12:16:04 03[ENC] parsing header of message Jan 28 12:16:04 03[ENC] parsing HEADER payload, 64 bytes left Jan 28 12:16:04 03[ENC] parsing rule 0 IKE_SPI Jan 28 12:16:04 03[ENC] parsing rule 1 IKE_SPI Jan 28 12:16:04 03[ENC] parsing rule 2 U_INT_8 Jan 28 12:16:04 03[ENC] parsing rule 3 U_INT_4 Jan 28 12:16:04 03[ENC] parsing rule 4 U_INT_4 Jan 28 12:16:04 03[ENC] parsing rule 5 U_INT_8 Jan 28 12:16:04 03[ENC] parsing rule 6 RESERVED_BIT Jan 28 12:16:04 03[ENC] parsing rule 7 RESERVED_BIT Jan 28 12:16:04 03[ENC] parsing rule 8 FLAG Jan 28 12:16:04 03[ENC] parsing rule 9 FLAG Jan 28 12:16:04 03[ENC] parsing rule 10 FLAG Jan 28 12:16:04 03[ENC] parsing rule 11 FLAG Jan 28 12:16:04 03[ENC] parsing rule 12 FLAG Jan 28 12:16:04 03[ENC] parsing rule 13 FLAG Jan 28 12:16:04 03[ENC] parsing rule 14 U_INT_32 Jan 28 12:16:04 03[ENC] parsing rule 15 HEADER_LENGTH Jan 28 12:16:04 03[ENC] parsing HEADER payload finished Jan 28 12:16:04 03[ENC] parsed a INFORMATIONAL response header Jan 28 12:16:04 03[NET] waiting for data on sockets Jan 28 12:16:04 09[MGR] checkout IKEv2 SA by message with SPIs 6818ea1f5dcee434_i b93147c42996e966_r Jan 28 12:16:04 09[MGR] IKE_SA test[2] successfully checked out Jan 28 12:16:04 09[NET] <test|2> received packet: from 10.10.10.11[4500] to 10.10.10.10[4500] (64 bytes) Jan 28 12:16:04 09[ENC] <test|2> parsing body of message, first payload is ENCRYPTED Jan 28 12:16:04 09[ENC] <test|2> starting parsing a ENCRYPTED payload Jan 28 12:16:04 09[ENC] <test|2> parsing ENCRYPTED payload, 36 bytes left Jan 28 12:16:04 09[ENC] <test|2> parsing rule 0 U_INT_8 Jan 28 12:16:04 09[ENC] <test|2> parsing rule 1 U_INT_8 Jan 28 12:16:04 09[ENC] <test|2> parsing rule 2 PAYLOAD_LENGTH Jan 28 12:16:04 09[ENC] <test|2> parsing rule 3 CHUNK_DATA Jan 28 12:16:04 09[ENC] <test|2> parsing ENCRYPTED payload finished Jan 28 12:16:04 09[ENC] <test|2> verifying payload of type ENCRYPTED Jan 28 12:16:04 09[ENC] <test|2> ENCRYPTED payload verified, adding to payload list Jan 28 12:16:04 09[ENC] <test|2> ENCRYPTED payload found, stop parsing Jan 28 12:16:04 09[ENC] <test|2> process payload of type ENCRYPTED Jan 28 12:16:04 09[ENC] <test|2> found an encrypted payload Jan 28 12:16:04 09[ENC] <test|2> parsed content of encrypted payload Jan 28 12:16:04 09[ENC] <test|2> verifying message structure Jan 28 12:16:04 09[ENC] <test|2> parsed INFORMATIONAL response 0 [ ] Jan 28 12:16:04 09[IKE] <test|2> IKE_SA deleted Jan 28 12:16:04 09[MGR] <test|2> checkin and destroy IKE_SA test[2] Jan 28 12:16:04 09[IKE] <test|2> IKE_SA test[2] state change: DELETING => DESTROYING Jan 28 12:16:04 09[CHD] <test|2> CHILD_SA test{2} state change: INSTALLED => DESTROYING Jan 28 12:16:04 09[KNL] <test|2> deleting policy 192.168.127.0/24 === 192.168.128.0/24 out Jan 28 12:16:04 09[KNL] <test|2> getting iface index for WAN Jan 28 12:16:04 02[JOB] watched FD 13 ready to read Jan 28 12:16:04 02[JOB] watcher going to poll() 4 fds Jan 28 12:16:04 09[KNL] <test|2> deleting policy 192.168.128.0/24 === 192.168.127.0/24 in Jan 28 12:16:04 02[JOB] watcher got notification, rebuilding Jan 28 12:16:04 02[JOB] watcher going to poll() 5 fds Jan 28 12:16:04 09[KNL] <test|2> deleting policy 192.168.128.0/24 === 192.168.127.0/24 fwd Jan 28 12:16:04 09[KNL] <test|2> deleting SAD entry with SPI ca5207e9 Jan 28 12:16:04 09[KNL] <test|2> deleted SAD entry with SPI ca5207e9 Jan 28 12:16:04 09[KNL] <test|2> deleting SAD entry with SPI c87462d5 Jan 28 12:16:04 09[KNL] <test|2> deleted SAD entry with SPI c87462d5 Jan 28 12:16:04 09[MGR] checkin and destroy of IKE_SA successful Jan 28 12:16:08 01[JOB] got event, queuing job for execution Jan 28 12:16:08 01[JOB] next event in 9s 0ms, waiting Jan 28 12:16:08 06[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r Jan 28 12:16:08 06[MGR] IKE_SA checkout not successful
History
#1 Updated by ray chao 2 months ago
- File charon.log charon.log added
- File charon.log charon.log added
Add strongswan log file.
#2 Updated by Tobias Brunner 2 months ago
- Category set to configuration
- Status changed from New to Feedback
- Affected version changed from 5.9.1 to 5.8.1
I got this result in both peers:
There have some message "IKE_SA to rekey not found", "IKE_SA checkout not successful"
Is there error setting in the rekey option?
Yes, your config does not provide any time to rekey the SA. It will be terminated after 30m when the rekeying will also be scheduled because there is no margin. To have a rekeying after 30m set e.g. ikelifetime=35m and margintime=5m, see ExpiryRekey for details.
#3 Updated by ray chao 2 months ago
margintime : Time before SA expiry the rekeying should start.
Thanks,i realize when the margintime is not set the rekey action will not be executed,
but i try to use IKEV1 and set margintime = 0 ,
Whether it is main mode or aggressive mode, it will rekey and reconnection success,why?
Does IKEV1 have any detection mechanism?
#4 Updated by Tobias Brunner 2 months ago
Whether it is main mode or aggressive mode, it will rekey and reconnection success,why?
Does IKEV1 have any detection mechanism?
IKEv1 does not have IKE rekeying, it always does a reauthentication (see the link I posted before). It's possible it schedules the jobs differently (so that e.g. the reauth job runs slightly before the delete job). No idea, also doesn't matter because IKEv1 is deprecated and your config is invalid either way.