Project

General

Profile

Issue #3683

IKEV2 connection fail to rekey process

Added by ray chao 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.1
Resolution:

Description

I make connection between two hosts with Strongswan 5.8.1 on both sides. I use IKE v.2 To increase rekey events,
I want to rekey exactly after 30 minutes,So I use lifetime params:

 rekeymargin=0m
 rekeyfuzz=0%
 ikelifetime=30m
 keylife=480m

After the connection is successfully established,and After 30 minutes it did start the rekey action,but cann't establish success.

my configuration is ipsec.conf:

config setup
conn test
 aggressive=no
 authby=secret
 left=10.10.10.10
 right=10.10.10.11
 leftsubnet=192.168.127.0/24
 rightsubnet=192.168.128.0/24
 type=tunnel
 esp=3des-sha2_256
 rekeymargin=0m
 rekeyfuzz=0%
 keyingtries=%forever
 keyexchange=ikev2
 ikelifetime=30m
 keylife=480m
 ike=3des-sha2_256-modp1024
 auto=start
conn any_wan0
 left=10.10.10.10
 leftsourceip=10.10.10.10
 right=%any

config setup
conn test
 aggressive=no
 authby=secret
 left=10.10.10.11
 right=10.10.10.10
 leftsubnet=192.168.128.0/24
 rightsubnet=192.168.127.0/24
 type=tunnel
 esp=3des-sha2_256
 rekeymargin=0m
 rekeyfuzz=0%
 keyingtries=%forever
 keyexchange=ikev2
 ikelifetime=30m
 keylife=480m
 ike=3des-sha2_256-modp1024
 auto=start
 dpddelay=0
 dpdtimeout=0
 dpdaction=hold
conn any_wan0
 left=10.10.10.11
 leftsourceip=10.10.10.11
 right=%any

I got this result in both peers:
There have some message "IKE_SA to rekey not found", "IKE_SA checkout not successful"
Is there error setting in the rekey option?

Jan 28 12:17:16 01[JOB] got event, queuing job for execution
Jan 28 12:17:16 01[JOB] got event, queuing job for execution
Jan 28 12:17:16 01[JOB] next event in 3s 408ms, waiting
Jan 28 12:17:16 11[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r
Jan 28 12:17:16 11[MGR] IKE_SA checkout not successful
Jan 28 12:17:16 04[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r
Jan 28 12:17:16 04[MGR] IKE_SA checkout not successful
Jan 28 12:17:16 11[JOB] IKE_SA to rekey not found
Jan 28 12:17:19 02[NET] received packet: from 10.10.10.10[4500] to 10.10.10.11[4500]
Jan 28 12:17:19 02[ENC] parsing header of message
Jan 28 12:17:19 02[ENC] parsing HEADER payload, 72 bytes left
Jan 28 12:17:19 02[ENC]   parsing rule 0 IKE_SPI
Jan 28 12:17:19 02[ENC]   parsing rule 1 IKE_SPI
Jan 28 12:17:19 02[ENC]   parsing rule 2 U_INT_8
Jan 28 12:17:19 02[ENC]   parsing rule 3 U_INT_4
Jan 28 12:17:19 02[ENC]   parsing rule 4 U_INT_4
Jan 28 12:17:19 02[ENC]   parsing rule 5 U_INT_8
Jan 28 12:17:19 02[ENC]   parsing rule 6 RESERVED_BIT
Jan 28 12:17:19 02[ENC]   parsing rule 7 RESERVED_BIT
Jan 28 12:17:19 02[ENC]   parsing rule 8 FLAG
Jan 28 12:17:19 02[ENC]   parsing rule 9 FLAG
Jan 28 12:17:19 02[ENC]   parsing rule 10 FLAG
Jan 28 12:17:19 02[ENC]   parsing rule 11 FLAG
Jan 28 12:17:19 02[ENC]   parsing rule 12 FLAG
Jan 28 12:17:19 02[ENC]   parsing rule 13 FLAG
Jan 28 12:17:19 02[ENC]   parsing rule 14 U_INT_32
Jan 28 12:17:19 02[ENC]   parsing rule 15 HEADER_LENGTH
Jan 28 12:17:19 02[ENC] parsing HEADER payload finished
Jan 28 12:17:19 02[ENC] parsed a INFORMATIONAL request header
Jan 28 12:17:19 02[NET] waiting for data on sockets
Jan 28 12:17:19 09[MGR] checkout IKEv2 SA by message with SPIs 6818ea1f5dcee434_i b93147c42996e966_r
Jan 28 12:17:19 09[MGR] IKE_SA test[1] successfully checked out
Jan 28 12:17:19 09[NET] <test|1> received packet: from 10.10.10.10[4500] to 10.10.10.11[4500] (72 bytes)
Jan 28 12:17:19 09[ENC] <test|1> parsing body of message, first payload is ENCRYPTED
Jan 28 12:17:19 09[ENC] <test|1> starting parsing a ENCRYPTED payload
Jan 28 12:17:19 09[ENC] <test|1> parsing ENCRYPTED payload, 44 bytes left
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 0 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 1 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 2 PAYLOAD_LENGTH
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 3 CHUNK_DATA
Jan 28 12:17:19 09[ENC] <test|1> parsing ENCRYPTED payload finished
Jan 28 12:17:19 09[ENC] <test|1> verifying payload of type ENCRYPTED
Jan 28 12:17:19 09[ENC] <test|1> ENCRYPTED payload verified, adding to payload list
Jan 28 12:17:19 09[ENC] <test|1> ENCRYPTED payload found, stop parsing
Jan 28 12:17:19 09[ENC] <test|1> process payload of type ENCRYPTED
Jan 28 12:17:19 09[ENC] <test|1> found an encrypted payload
Jan 28 12:17:19 09[ENC] <test|1> parsing DELETE payload, 8 bytes left
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 0 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 1 FLAG
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 2 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 3 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 4 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 5 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 6 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 7 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 8 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 9 PAYLOAD_LENGTH
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 10 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 11 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 12 U_INT_16
Jan 28 12:17:19 09[ENC] <test|1>   parsing rule 13 CHUNK_DATA
Jan 28 12:17:19 09[ENC] <test|1> parsing DELETE payload finished
Jan 28 12:17:19 09[ENC] <test|1> parsed content of encrypted payload
Jan 28 12:17:19 09[ENC] <test|1> insert decrypted payload of type DELETE at end of list
Jan 28 12:17:19 09[ENC] <test|1> verifying message structure
Jan 28 12:17:19 09[ENC] <test|1> found payload of type DELETE
Jan 28 12:17:19 09[ENC] <test|1> parsed INFORMATIONAL request 0 [ D ]
Jan 28 12:17:19 09[IKE] <test|1> received DELETE for IKE_SA test[1]
Jan 28 12:17:19 09[IKE] <test|1> deleting IKE_SA test[1] between 10.10.10.11[10.10.10.11]...10.10.10.10[10.10.10.10]
Jan 28 12:17:19 09[IKE] <test|1> IKE_SA test[1] state change: ESTABLISHED => DELETING
Jan 28 12:17:19 09[IKE] <test|1> IKE_SA deleted
Jan 28 12:17:19 09[ENC] <test|1> order payloads in message
Jan 28 12:17:19 09[ENC] <test|1> generating INFORMATIONAL response 0 [ ]
Jan 28 12:17:19 09[ENC] <test|1> generating payload of type HEADER
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 0 IKE_SPI
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 1 IKE_SPI
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 2 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 3 U_INT_4
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 4 U_INT_4
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 5 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 6 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 7 RESERVED_BIT
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 8 FLAG
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 9 FLAG
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 10 FLAG
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 11 FLAG
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 12 FLAG
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 13 FLAG
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 14 U_INT_32
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 15 HEADER_LENGTH
Jan 28 12:17:19 09[ENC] <test|1> generating HEADER payload finished
Jan 28 12:17:19 09[ENC] <test|1> generating payload of type ENCRYPTED
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 0 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 1 U_INT_8
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 2 PAYLOAD_LENGTH
Jan 28 12:17:19 09[ENC] <test|1>   generating rule 3 CHUNK_DATA
Jan 28 12:17:19 09[ENC] <test|1> generating ENCRYPTED payload finished
Jan 28 12:17:19 09[NET] <test|1> sending packet: from 10.10.10.11[4500] to 10.10.10.10[4500] (64 bytes)
Jan 28 12:17:19 09[MGR] <test|1> checkin and destroy IKE_SA test[1]
Jan 28 12:17:19 03[NET] sending packet: from 10.10.10.11[4500] to 10.10.10.10[4500]
Jan 28 12:17:19 09[IKE] <test|1> IKE_SA test[1] state change: DELETING => DESTROYING
Jan 28 12:17:19 09[CHD] <test|1> CHILD_SA test{2} state change: INSTALLED => DESTROYING
Jan 28 12:17:19 09[KNL] <test|1> deleting policy 192.168.128.0/24 === 192.168.127.0/24 out
Jan 28 12:17:19 09[KNL] <test|1> getting iface index for WAN
Jan 28 12:17:19 13[JOB] watched FD 13 ready to read
Jan 28 12:17:19 13[JOB] watcher going to poll() 4 fds
Jan 28 12:17:19 09[KNL] <test|1> deleting policy 192.168.127.0/24 === 192.168.128.0/24 in
Jan 28 12:17:19 13[JOB] watcher got notification, rebuilding
Jan 28 12:17:19 13[JOB] watcher going to poll() 5 fds
Jan 28 12:17:19 09[KNL] <test|1> deleting policy 192.168.127.0/24 === 192.168.128.0/24 fwd
Jan 28 12:17:19 09[KNL] <test|1> deleting SAD entry with SPI c87462d5
Jan 28 12:17:19 09[KNL] <test|1> deleted SAD entry with SPI c87462d5
Jan 28 12:17:19 09[KNL] <test|1> deleting SAD entry with SPI ca5207e9
Jan 28 12:17:19 09[KNL] <test|1> deleted SAD entry with SPI ca5207e9
Jan 28 12:17:19 09[MGR] checkin and destroy of IKE_SA successful
Jan 28 12:17:19 01[JOB] got event, queuing job for execution
Jan 28 12:17:19 01[JOB] got event, queuing job for execution
Jan 28 12:17:19 01[JOB] no events, waiting
Jan 28 12:17:19 12[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r
Jan 28 12:17:19 12[MGR] IKE_SA checkout not successful
Jan 28 12:17:19 12[JOB] *IKE_SA to rekey not found*
Jan 28 12:17:19 14[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r
Jan 28 12:17:19 14[MGR] IKE_SA checkout not successful
Jan 28 12:17:23 13[JOB] watched FD 14 ready to read
Jan 28 12:17:23 13[JOB] watcher going to poll() 4 fds
Jan 28 12:17:23 13[JOB] watcher got notification, rebuilding
Jan 28 12:17:23 13[JOB] watcher going to poll() 5 fds

Jan 28 12:16:00 01[JOB] got event, queuing job for execution
Jan 28 12:16:00 01[JOB] got event, queuing job for execution
Jan 28 12:16:00 07[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r
Jan 28 12:16:00 01[JOB] next event in 3s 388ms, waiting
Jan 28 12:16:00 07[MGR] IKE_SA checkout not successful
Jan 28 12:16:00 04[MGR] checkout IKEv2 SA with SPIs cb4d158af8f03731_i c85e2ec1cd1ee1d8_r
Jan 28 12:16:00 07[JOB] IKE_SA to rekey not found
Jan 28 12:16:00 04[MGR] IKE_SA checkout not successful
Jan 28 12:16:04 01[JOB] got event, queuing job for execution
Jan 28 12:16:04 01[JOB] got event, queuing job for execution
Jan 28 12:16:04 01[JOB] no events, waiting
Jan 28 12:16:04 13[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r
Jan 28 12:16:04 13[MGR] IKE_SA test[2] successfully checked out
Jan 28 12:16:04 13[IKE] <test|2> queueing IKE_DELETE task
Jan 28 12:16:04 13[IKE] <test|2> activating new tasks
Jan 28 12:16:04 13[IKE] <test|2>   activating IKE_DELETE task
Jan 28 12:16:04 13[IKE] <test|2> deleting IKE_SA test[2] between 10.10.10.10[10.10.10.10]...10.10.10.11[10.10.10.11]
Jan 28 12:16:04 13[ENC] <test|2> added payload of type DELETE to message
Jan 28 12:16:04 13[IKE] <test|2> IKE_SA test[2] state change: ESTABLISHED => DELETING
Jan 28 12:16:04 12[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r
Jan 28 12:16:04 13[IKE] <test|2> sending DELETE for IKE_SA test[2]
Jan 28 12:16:04 13[ENC] <test|2> order payloads in message
Jan 28 12:16:04 13[ENC] <test|2> added payload of type DELETE to message
Jan 28 12:16:04 13[ENC] <test|2> generating INFORMATIONAL request 0 [ D ]
Jan 28 12:16:04 13[ENC] <test|2> insert payload DELETE into encrypted payload
Jan 28 12:16:04 13[ENC] <test|2> generating payload of type HEADER
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 0 IKE_SPI
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 1 IKE_SPI
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 2 U_INT_8
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 3 U_INT_4
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 4 U_INT_4
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 5 U_INT_8
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 6 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 7 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 8 FLAG
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 9 FLAG
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 10 FLAG
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 11 FLAG
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 12 FLAG
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 13 FLAG
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 14 U_INT_32
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 15 HEADER_LENGTH
Jan 28 12:16:04 13[ENC] <test|2> generating HEADER payload finished
Jan 28 12:16:04 13[ENC] <test|2> generating payload of type DELETE
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 0 U_INT_8
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 1 FLAG
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 2 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 3 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 4 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 5 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 6 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 7 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 8 RESERVED_BIT
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 9 PAYLOAD_LENGTH
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 10 U_INT_8
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 11 U_INT_8
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 12 U_INT_16
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 13 CHUNK_DATA
Jan 28 12:16:04 13[ENC] <test|2> generating DELETE payload finished
Jan 28 12:16:04 13[ENC] <test|2> generated content in encrypted payload
Jan 28 12:16:04 13[ENC] <test|2> generating payload of type ENCRYPTED
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 0 U_INT_8
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 1 U_INT_8
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 2 PAYLOAD_LENGTH
Jan 28 12:16:04 13[ENC] <test|2>   generating rule 3 CHUNK_DATA
Jan 28 12:16:04 13[ENC] <test|2> generating ENCRYPTED payload finished
Jan 28 12:16:04 13[NET] <test|2> sending packet: from 10.10.10.10[4500] to 10.10.10.11[4500] (72 bytes)
Jan 28 12:16:04 13[MGR] <test|2> checkin IKE_SA test[2]
Jan 28 12:16:04 13[MGR] <test|2> checkin of IKE_SA successful
Jan 28 12:16:04 10[NET] sending packet: from 10.10.10.10[4500] to 10.10.10.11[4500]
Jan 28 12:16:04 01[JOB] next event in 3s 999ms, waiting
Jan 28 12:16:04 12[MGR] IKE_SA test[2] successfully checked out
Jan 28 12:16:04 12[IKE] <test|2> unable to reauthenticate in DELETING state, delaying for 13s
Jan 28 12:16:04 12[MGR] <test|2> checkin IKE_SA test[2]
Jan 28 12:16:04 12[MGR] <test|2> checkin of IKE_SA successful
Jan 28 12:16:04 01[JOB] next event in 3s 999ms, waiting
Jan 28 12:16:04 03[NET] received packet: from 10.10.10.11[4500] to 10.10.10.10[4500]
Jan 28 12:16:04 03[ENC] parsing header of message
Jan 28 12:16:04 03[ENC] parsing HEADER payload, 64 bytes left
Jan 28 12:16:04 03[ENC]   parsing rule 0 IKE_SPI
Jan 28 12:16:04 03[ENC]   parsing rule 1 IKE_SPI
Jan 28 12:16:04 03[ENC]   parsing rule 2 U_INT_8
Jan 28 12:16:04 03[ENC]   parsing rule 3 U_INT_4
Jan 28 12:16:04 03[ENC]   parsing rule 4 U_INT_4
Jan 28 12:16:04 03[ENC]   parsing rule 5 U_INT_8
Jan 28 12:16:04 03[ENC]   parsing rule 6 RESERVED_BIT
Jan 28 12:16:04 03[ENC]   parsing rule 7 RESERVED_BIT
Jan 28 12:16:04 03[ENC]   parsing rule 8 FLAG
Jan 28 12:16:04 03[ENC]   parsing rule 9 FLAG
Jan 28 12:16:04 03[ENC]   parsing rule 10 FLAG
Jan 28 12:16:04 03[ENC]   parsing rule 11 FLAG
Jan 28 12:16:04 03[ENC]   parsing rule 12 FLAG
Jan 28 12:16:04 03[ENC]   parsing rule 13 FLAG
Jan 28 12:16:04 03[ENC]   parsing rule 14 U_INT_32
Jan 28 12:16:04 03[ENC]   parsing rule 15 HEADER_LENGTH
Jan 28 12:16:04 03[ENC] parsing HEADER payload finished
Jan 28 12:16:04 03[ENC] parsed a INFORMATIONAL response header
Jan 28 12:16:04 03[NET] waiting for data on sockets
Jan 28 12:16:04 09[MGR] checkout IKEv2 SA by message with SPIs 6818ea1f5dcee434_i b93147c42996e966_r
Jan 28 12:16:04 09[MGR] IKE_SA test[2] successfully checked out
Jan 28 12:16:04 09[NET] <test|2> received packet: from 10.10.10.11[4500] to 10.10.10.10[4500] (64 bytes)
Jan 28 12:16:04 09[ENC] <test|2> parsing body of message, first payload is ENCRYPTED
Jan 28 12:16:04 09[ENC] <test|2> starting parsing a ENCRYPTED payload
Jan 28 12:16:04 09[ENC] <test|2> parsing ENCRYPTED payload, 36 bytes left
Jan 28 12:16:04 09[ENC] <test|2>   parsing rule 0 U_INT_8
Jan 28 12:16:04 09[ENC] <test|2>   parsing rule 1 U_INT_8
Jan 28 12:16:04 09[ENC] <test|2>   parsing rule 2 PAYLOAD_LENGTH
Jan 28 12:16:04 09[ENC] <test|2>   parsing rule 3 CHUNK_DATA
Jan 28 12:16:04 09[ENC] <test|2> parsing ENCRYPTED payload finished
Jan 28 12:16:04 09[ENC] <test|2> verifying payload of type ENCRYPTED
Jan 28 12:16:04 09[ENC] <test|2> ENCRYPTED payload verified, adding to payload list
Jan 28 12:16:04 09[ENC] <test|2> ENCRYPTED payload found, stop parsing
Jan 28 12:16:04 09[ENC] <test|2> process payload of type ENCRYPTED
Jan 28 12:16:04 09[ENC] <test|2> found an encrypted payload
Jan 28 12:16:04 09[ENC] <test|2> parsed content of encrypted payload
Jan 28 12:16:04 09[ENC] <test|2> verifying message structure
Jan 28 12:16:04 09[ENC] <test|2> parsed INFORMATIONAL response 0 [ ]
Jan 28 12:16:04 09[IKE] <test|2> IKE_SA deleted
Jan 28 12:16:04 09[MGR] <test|2> checkin and destroy IKE_SA test[2]
Jan 28 12:16:04 09[IKE] <test|2> IKE_SA test[2] state change: DELETING => DESTROYING
Jan 28 12:16:04 09[CHD] <test|2> CHILD_SA test{2} state change: INSTALLED => DESTROYING
Jan 28 12:16:04 09[KNL] <test|2> deleting policy 192.168.127.0/24 === 192.168.128.0/24 out
Jan 28 12:16:04 09[KNL] <test|2> getting iface index for WAN
Jan 28 12:16:04 02[JOB] watched FD 13 ready to read
Jan 28 12:16:04 02[JOB] watcher going to poll() 4 fds
Jan 28 12:16:04 09[KNL] <test|2> deleting policy 192.168.128.0/24 === 192.168.127.0/24 in
Jan 28 12:16:04 02[JOB] watcher got notification, rebuilding
Jan 28 12:16:04 02[JOB] watcher going to poll() 5 fds
Jan 28 12:16:04 09[KNL] <test|2> deleting policy 192.168.128.0/24 === 192.168.127.0/24 fwd
Jan 28 12:16:04 09[KNL] <test|2> deleting SAD entry with SPI ca5207e9
Jan 28 12:16:04 09[KNL] <test|2> deleted SAD entry with SPI ca5207e9
Jan 28 12:16:04 09[KNL] <test|2> deleting SAD entry with SPI c87462d5
Jan 28 12:16:04 09[KNL] <test|2> deleted SAD entry with SPI c87462d5
Jan 28 12:16:04 09[MGR] checkin and destroy of IKE_SA successful
Jan 28 12:16:08 01[JOB] got event, queuing job for execution
Jan 28 12:16:08 01[JOB] next event in 9s 0ms, waiting
Jan 28 12:16:08 06[MGR] checkout IKEv2 SA with SPIs 6818ea1f5dcee434_i b93147c42996e966_r
Jan 28 12:16:08 06[MGR] IKE_SA checkout not successful

charon.log (302 KB) charon.log ray chao, 28.01.2021 09:31
charon.log (296 KB) charon.log ray chao, 28.01.2021 09:31

History

#1 Updated by ray chao 8 months ago

Add strongswan log file.

#2 Updated by Tobias Brunner 8 months ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Affected version changed from 5.9.1 to 5.8.1

I got this result in both peers:
There have some message "IKE_SA to rekey not found", "IKE_SA checkout not successful"
Is there error setting in the rekey option?

Yes, your config does not provide any time to rekey the SA. It will be terminated after 30m when the rekeying will also be scheduled because there is no margin. To have a rekeying after 30m set e.g. ikelifetime=35m and margintime=5m, see ExpiryRekey for details.

#3 Updated by ray chao 8 months ago

margintime : Time before SA expiry the rekeying should start.

Thanks,i realize when the margintime is not set the rekey action will not be executed,

but i try to use IKEV1 and set margintime = 0 ,

Whether it is main mode or aggressive mode, it will rekey and reconnection success,why?

Does IKEV1 have any detection mechanism?

#4 Updated by Tobias Brunner 8 months ago

Whether it is main mode or aggressive mode, it will rekey and reconnection success,why?

Does IKEV1 have any detection mechanism?

IKEv1 does not have IKE rekeying, it always does a reauthentication (see the link I posted before). It's possible it schedules the jobs differently (so that e.g. the reauth job runs slightly before the delete job). No idea, also doesn't matter because IKEv1 is deprecated and your config is invalid either way.

Also available in: Atom PDF