Issue #3268
Updated by Tobias Brunner almost 6 years ago
<pre>
Hi!
I am setting up a policy based VPN between strongswan and the AWS VPN service. AWS offers two VPN terminations on its side:
<pre>
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1052-aws, x86_64):
uptime: 3 hours, since Nov 12 12:37:18 2019
malloc: sbrk 1839104, mmap 0, used 1014272, free 824832
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
172.25.134.118
Connections:
aws-31: 172.25.134.118...3.133.9.79 IKEv2
aws-31: local: [3.10.27.218] uses pre-shared key authentication
aws-31: remote: [3.133.9.79] uses pre-shared key authentication
aws-31: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
aws-32: 172.25.134.118...3.134.36.6 IKEv2
aws-32: local: [3.10.27.218] uses pre-shared key authentication
aws-32: remote: [3.134.36.6] uses pre-shared key authentication
aws-32: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
Security Associations (2 up, 0 connecting):
aws-32[8]: ESTABLISHED 35 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[8]: IKEv2 SPIs: 8aa083f807338fca_i* 2dfefa7c4aeb99c5_r, pre-shared key reauthentication in 18 minutes
aws-32[8]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{30}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: cef3383c_i af48ed47_o
aws-32{30}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 7 minutes
aws-32{30}: 172.25.132.0/22 === 100.64.0.0/10
aws-31[7]: ESTABLISHED 38 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[7]: IKEv2 SPIs: 8b3dba66d96982a6_i* 45fafb373bf8c6c6_r, pre-shared key reauthentication in 16 minutes
aws-31[7]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{29}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c139e343_i 83ce5f2b_o
aws-31{29}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 42000 bytes_i (500 pkts, 1s ago), 5964 bytes_o (71 pkts, 450s ago), rekeying in 5 minutes
</pre>
I am running a ping from 100.64.1.1 to 172.25.134.118. I see the ping requests arriving on 172.25.134.118, getting decrypted, but 172.25.134.118 sends ping responses intermittently.
The traffic flows at all times over the 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79] tunnel.
I could track back the gaps in sending ping responses to the times when the two SAs are being rekeyed as indicated below (look for "rekeying in 0 seconds"):
<pre>
Traffic Starts
--------------
Security Associations (2 up, 0 connecting):
aws-32[14]: ESTABLISHED 28 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[14]: IKEv2 SPIs: b3e0aeb4ef497bf5_i* eb0479254b1fe3ef_r, pre-shared key reauthentication in 28 minutes
aws-32[14]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{52}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: ccf4fc7b_i 3e83309e_o
aws-32{52}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 82 seconds
aws-32{52}: 172.25.132.0/22 === 100.64.0.0/10
aws-31[13]: ESTABLISHED 30 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[13]: IKEv2 SPIs: fbf416597b025dac_i* 5da9bf2a73623436_r, pre-shared key reauthentication in 25 minutes
aws-31[13]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{51}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: cc84cff9_i ab156f29_o
aws-31{51}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 76692 bytes_i (913 pkts, 1s ago), 11172 bytes_o (133 pkts, 816s ago), rekeying in 0 seconds
aws-31{51}: 172.25.132.0/22 === 100.64.0.0/10 ^
|
traffic starts ------------------+
Traffic Stops
-------------
Security Associations (2 up, 0 connecting):
aws-32[14]: ESTABLISHED 29 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[14]: IKEv2 SPIs: b3e0aeb4ef497bf5_i* eb0479254b1fe3ef_r, pre-shared key reauthentication in 27 minutes
aws-32[14]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{52}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: ccf4fc7b_i 3e83309e_o
aws-32{52}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o (0 pkts, 2s ago), rekeying in 0 seconds
aws-32{52}: 172.25.132.0/22 === 100.64.0.0/10 ^
|
traffic stops ----+
aws-31[13]: ESTABLISHED 32 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[13]: IKEv2 SPIs: fbf416597b025dac_i* 5da9bf2a73623436_r, pre-shared key reauthentication in 24 minutes
aws-31[13]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{53}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c8572b72_i 44054996_o
aws-31{53}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 6888 bytes_i (82 pkts, 0s ago), 6804 bytes_o (81 pkts, 0s ago), rekeying in 12 minutes
aws-31{53}: 172.25.132.0/22 === 100.64.0.0/10
</pre>
This seems to be confirmed in the kernel, where the IPsec policy seems to be associated with the IPsec SA that was most recently rekeyed. Whereas the traffic appears to somehow remain always associated to one specific SA.
<pre>
root@ip-172-25-134-118:~# ip xfrm policy
src 172.25.132.0/22 dst 100.64.0.0/10
dir out priority 383615
tmpl src 172.25.134.118 dst 3.134.36.6 <--- policy points to the latest rekeyed SA
proto esp spi 0xfaa11f79 reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir fwd priority 383615
tmpl src 3.134.36.6 dst 172.25.134.118
proto esp reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir in priority 383615
tmpl src 3.134.36.6 dst 172.25.134.118
proto esp reqid 6 mode tunnel
</pre>
Rekeying happens now:
<pre>
Security Associations (2 up, 0 connecting):
aws-32[49]: ESTABLISHED 19 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[49]: IKEv2 SPIs: 110d0156b42d5d74_i* b1421b30302f9caa_r, pre-shared key reauthentication in 35 minutes
aws-32[49]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{188}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: cbc9d297_i faa11f79_o
aws-32{188}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 10 minutes
aws-32{188}: 172.25.132.0/22 === 100.64.0.0/10
aws-31[48]: ESTABLISHED 31 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[48]: IKEv2 SPIs: 419a3a9bd4f3bcc2_i* ef6e8850e0573492_r, pre-shared key reauthentication in 24 minutes
aws-31[48]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31[48]: Tasks active: CHILD_REKEY
aws-31{187}: DELETING, TUNNEL, reqid 6
aws-31{187}: 172.25.132.0/22 === 100.64.0.0/10
aws-31{189}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c058615a_i f1a778c9_o
aws-31{189}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes <--- the other SA was just rekeyed
aws-31{189}: 172.25.132.0/22 === 100.64.0.0/10
root@ip-172-25-134-118:~# ip xfrm policy
src 172.25.132.0/22 dst 100.64.0.0/10
dir out priority 383615
tmpl src 172.25.134.118 dst 3.133.9.79 <--- policy is updated to latest rekeyed SA
proto esp spi 0xf1a778c9 reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir fwd priority 383615
tmpl src 3.133.9.79 dst 172.25.134.118
proto esp reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir in priority 383615
tmpl src 3.133.9.79 dst 172.25.134.118
proto esp reqid 6 mode tunnel
</pre>
I also noticed that both SAs use the same reqid, so I have configured the tunnels to use distinct reqid's, but in that case only one tunnel is brought up:
<pre>
Connections:
aws-31: 172.25.134.118...3.133.9.79 IKEv2
aws-31: local: [3.10.27.218] uses pre-shared key authentication
aws-31: remote: [3.133.9.79] uses pre-shared key authentication
aws-31: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
aws-32: 172.25.134.118...3.134.36.6 IKEv2
aws-32: local: [3.10.27.218] uses pre-shared key authentication
aws-32: remote: [3.134.36.6] uses pre-shared key authentication
aws-32: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
Security Associations (1 up, 0 connecting):
aws-31[4]: ESTABLISHED 2 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[4]: IKEv2 SPIs: 0f83cf1763a1446d_i* 834de6a530b7cbfb_r, pre-shared key reauthentication in 52 minutes
aws-31[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{10}: INSTALLED, TUNNEL, reqid 31, ESP in UDP SPIs: c06ae396_i 24de747f_o
aws-31{10}: AES_CBC_256/HMAC_SHA2_256_128, 12096 bytes_i (144 pkts, 1s ago), 12096 bytes_o (144 pkts, 1s ago), rekeying in 11 minutes
aws-31{10}: 172.25.132.0/22 === 100.64.0.0/10
</pre>
Any suggestions would be greatly appreciated.
Thanks,
John
</pre>
Hi!
I am setting up a policy based VPN between strongswan and the AWS VPN service. AWS offers two VPN terminations on its side:
<pre>
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1052-aws, x86_64):
uptime: 3 hours, since Nov 12 12:37:18 2019
malloc: sbrk 1839104, mmap 0, used 1014272, free 824832
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
172.25.134.118
Connections:
aws-31: 172.25.134.118...3.133.9.79 IKEv2
aws-31: local: [3.10.27.218] uses pre-shared key authentication
aws-31: remote: [3.133.9.79] uses pre-shared key authentication
aws-31: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
aws-32: 172.25.134.118...3.134.36.6 IKEv2
aws-32: local: [3.10.27.218] uses pre-shared key authentication
aws-32: remote: [3.134.36.6] uses pre-shared key authentication
aws-32: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
Security Associations (2 up, 0 connecting):
aws-32[8]: ESTABLISHED 35 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[8]: IKEv2 SPIs: 8aa083f807338fca_i* 2dfefa7c4aeb99c5_r, pre-shared key reauthentication in 18 minutes
aws-32[8]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{30}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: cef3383c_i af48ed47_o
aws-32{30}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 7 minutes
aws-32{30}: 172.25.132.0/22 === 100.64.0.0/10
aws-31[7]: ESTABLISHED 38 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[7]: IKEv2 SPIs: 8b3dba66d96982a6_i* 45fafb373bf8c6c6_r, pre-shared key reauthentication in 16 minutes
aws-31[7]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{29}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c139e343_i 83ce5f2b_o
aws-31{29}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 42000 bytes_i (500 pkts, 1s ago), 5964 bytes_o (71 pkts, 450s ago), rekeying in 5 minutes
</pre>
I am running a ping from 100.64.1.1 to 172.25.134.118. I see the ping requests arriving on 172.25.134.118, getting decrypted, but 172.25.134.118 sends ping responses intermittently.
The traffic flows at all times over the 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79] tunnel.
I could track back the gaps in sending ping responses to the times when the two SAs are being rekeyed as indicated below (look for "rekeying in 0 seconds"):
<pre>
Traffic Starts
--------------
Security Associations (2 up, 0 connecting):
aws-32[14]: ESTABLISHED 28 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[14]: IKEv2 SPIs: b3e0aeb4ef497bf5_i* eb0479254b1fe3ef_r, pre-shared key reauthentication in 28 minutes
aws-32[14]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{52}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: ccf4fc7b_i 3e83309e_o
aws-32{52}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 82 seconds
aws-32{52}: 172.25.132.0/22 === 100.64.0.0/10
aws-31[13]: ESTABLISHED 30 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[13]: IKEv2 SPIs: fbf416597b025dac_i* 5da9bf2a73623436_r, pre-shared key reauthentication in 25 minutes
aws-31[13]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{51}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: cc84cff9_i ab156f29_o
aws-31{51}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 76692 bytes_i (913 pkts, 1s ago), 11172 bytes_o (133 pkts, 816s ago), rekeying in 0 seconds
aws-31{51}: 172.25.132.0/22 === 100.64.0.0/10 ^
|
traffic starts ------------------+
Traffic Stops
-------------
Security Associations (2 up, 0 connecting):
aws-32[14]: ESTABLISHED 29 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[14]: IKEv2 SPIs: b3e0aeb4ef497bf5_i* eb0479254b1fe3ef_r, pre-shared key reauthentication in 27 minutes
aws-32[14]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{52}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: ccf4fc7b_i 3e83309e_o
aws-32{52}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o (0 pkts, 2s ago), rekeying in 0 seconds
aws-32{52}: 172.25.132.0/22 === 100.64.0.0/10 ^
|
traffic stops ----+
aws-31[13]: ESTABLISHED 32 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[13]: IKEv2 SPIs: fbf416597b025dac_i* 5da9bf2a73623436_r, pre-shared key reauthentication in 24 minutes
aws-31[13]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{53}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c8572b72_i 44054996_o
aws-31{53}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 6888 bytes_i (82 pkts, 0s ago), 6804 bytes_o (81 pkts, 0s ago), rekeying in 12 minutes
aws-31{53}: 172.25.132.0/22 === 100.64.0.0/10
</pre>
This seems to be confirmed in the kernel, where the IPsec policy seems to be associated with the IPsec SA that was most recently rekeyed. Whereas the traffic appears to somehow remain always associated to one specific SA.
<pre>
root@ip-172-25-134-118:~# ip xfrm policy
src 172.25.132.0/22 dst 100.64.0.0/10
dir out priority 383615
tmpl src 172.25.134.118 dst 3.134.36.6 <--- policy points to the latest rekeyed SA
proto esp spi 0xfaa11f79 reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir fwd priority 383615
tmpl src 3.134.36.6 dst 172.25.134.118
proto esp reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir in priority 383615
tmpl src 3.134.36.6 dst 172.25.134.118
proto esp reqid 6 mode tunnel
</pre>
Rekeying happens now:
<pre>
Security Associations (2 up, 0 connecting):
aws-32[49]: ESTABLISHED 19 minutes ago, 172.25.134.118[3.10.27.218]...3.134.36.6[3.134.36.6]
aws-32[49]: IKEv2 SPIs: 110d0156b42d5d74_i* b1421b30302f9caa_r, pre-shared key reauthentication in 35 minutes
aws-32[49]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-32{188}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: cbc9d297_i faa11f79_o
aws-32{188}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 10 minutes
aws-32{188}: 172.25.132.0/22 === 100.64.0.0/10
aws-31[48]: ESTABLISHED 31 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[48]: IKEv2 SPIs: 419a3a9bd4f3bcc2_i* ef6e8850e0573492_r, pre-shared key reauthentication in 24 minutes
aws-31[48]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31[48]: Tasks active: CHILD_REKEY
aws-31{187}: DELETING, TUNNEL, reqid 6
aws-31{187}: 172.25.132.0/22 === 100.64.0.0/10
aws-31{189}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c058615a_i f1a778c9_o
aws-31{189}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes <--- the other SA was just rekeyed
aws-31{189}: 172.25.132.0/22 === 100.64.0.0/10
root@ip-172-25-134-118:~# ip xfrm policy
src 172.25.132.0/22 dst 100.64.0.0/10
dir out priority 383615
tmpl src 172.25.134.118 dst 3.133.9.79 <--- policy is updated to latest rekeyed SA
proto esp spi 0xf1a778c9 reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir fwd priority 383615
tmpl src 3.133.9.79 dst 172.25.134.118
proto esp reqid 6 mode tunnel
src 100.64.0.0/10 dst 172.25.132.0/22
dir in priority 383615
tmpl src 3.133.9.79 dst 172.25.134.118
proto esp reqid 6 mode tunnel
</pre>
I also noticed that both SAs use the same reqid, so I have configured the tunnels to use distinct reqid's, but in that case only one tunnel is brought up:
<pre>
Connections:
aws-31: 172.25.134.118...3.133.9.79 IKEv2
aws-31: local: [3.10.27.218] uses pre-shared key authentication
aws-31: remote: [3.133.9.79] uses pre-shared key authentication
aws-31: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
aws-32: 172.25.134.118...3.134.36.6 IKEv2
aws-32: local: [3.10.27.218] uses pre-shared key authentication
aws-32: remote: [3.134.36.6] uses pre-shared key authentication
aws-32: child: 172.25.132.0/22 === 100.64.0.0/10 TUNNEL
Security Associations (1 up, 0 connecting):
aws-31[4]: ESTABLISHED 2 minutes ago, 172.25.134.118[3.10.27.218]...3.133.9.79[3.133.9.79]
aws-31[4]: IKEv2 SPIs: 0f83cf1763a1446d_i* 834de6a530b7cbfb_r, pre-shared key reauthentication in 52 minutes
aws-31[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aws-31{10}: INSTALLED, TUNNEL, reqid 31, ESP in UDP SPIs: c06ae396_i 24de747f_o
aws-31{10}: AES_CBC_256/HMAC_SHA2_256_128, 12096 bytes_i (144 pkts, 1s ago), 12096 bytes_o (144 pkts, 1s ago), rekeying in 11 minutes
aws-31{10}: 172.25.132.0/22 === 100.64.0.0/10
</pre>
Any suggestions would be greatly appreciated.
Thanks,
John
</pre>