Hi, On Tue, Jun 16, 2020 at 03:25:12PM +0200, tris...@pilat.me wrote: > Hi guys, > > First of all, thanks for the amazing work you've done with 6.7! > > That said, I've got the same issue here after I updated to 6.7. The VPN > keeps cutting off every 10 minutes or so. Is there any way I could fix that > ?
This sound like a different problem. The unanswered INFORMATIONAL messages are used to check if the peer is still there. After they go unanswered the connection is restarted. May I ask which IKE implementation is running on the peer? You can try https://marc.info/?l=openbsd-misc&m=159178866010830&w=2 to see if disabling DPD would actually solve your problem. > > Here's my configuration: > > local_gw="203.0.113.1" > local_network="198.51.100.0/24" > > remote_gw="203.0.113.2" > remote_network="192.0.2.0/26" > remote_network2="192.0.2.64/26" > > ikev2 active esp \ > from $local_gw to $remote_gw \ > from $local_network to $remote_network \ > from $local_network to $remote_network2 \ > peer $remote_gw \ > ikesa enc aes-128 auth hmac-sha1 prf hmac-sha1 group modp1536 \ > childsa auth hmac-sha1 enc aes-128 group modp1536 \ > ikelifetime 86400 lifetime 43200 \ > psk "XXXXXXXXXXXXXXXXX" > > That's what I can see in the logs: > > Jun 16 08:07:00 vpn00 iked[31977]: ikev2_init_ike_sa: initiating "policy1" > Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: send IKE_SA_INIT > req 0 peer 203.0.113.2:500 local 0.0.0.0:500, 382 bytes > Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: recv IKE_SA_INIT > res 0 peer 203.0.113.2:500 local 203.0.113.1:500, 352 bytes, policy > 'policy1' > Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: send IKE_AUTH req > 1 peer 203.0.113.2:4500 local 203.0.113.1:4500, 284 bytes, NAT-T > Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: recv IKE_AUTH res > 1 peer 203.0.113.2:4500 local 203.0.113.1:4500, 252 bytes, policy 'policy1' > Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: > ikev2_childsa_enable: loaded SPIs: 0xae51c8bb, 0x3ab61433 > Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: > ikev2_childsa_enable: loaded flows: ESP-198.51.100.0/24=192.0.2.64/26(0), > ESP-198.51.100.0/24=192.0.2.0/26(0), ESP-203.0.113.1/32=203.0.113.2/32(0) > Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: established peer > 203.0.113.2:4500[IPV4/203.0.113.2] local > 203.0.113.1:4500[FQDN/vpn00.example.net] policy 'policy1' as initiator > Jun 16 08:12:02 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 1 > INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 > Jun 16 08:12:06 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 2 > INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 > Jun 16 08:12:14 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 3 > INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 > Jun 16 08:12:30 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 4 > INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 > Jun 16 08:13:02 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 5 > INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 > Jun 16 08:14:06 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: sa_free: > retransmit limit reached > Jun 16 08:15:00 vpn00 iked[31977]: ikev2_init_ike_sa: initiating "policy1" > Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: send IKE_SA_INIT > req 0 peer 203.0.113.2:500 local 0.0.0.0:500, 382 bytes > Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: recv IKE_SA_INIT > res 0 peer 203.0.113.2:500 local 203.0.113.1:500, 352 bytes, policy > 'policy1' > Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: send IKE_AUTH req > 1 peer 203.0.113.2:500 local 203.0.113.1:500, 284 bytes > Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: recv IKE_AUTH res > 1 peer 203.0.113.2:500 local 203.0.113.1:500, 252 bytes, policy 'policy1' > Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: > ikev2_childsa_enable: loaded SPIs: 0xae51c8bd, 0x7009bc39 > Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: > ikev2_childsa_enable: loaded flows: ESP-198.51.100.0/24=192.0.2.64/26(0), > ESP-198.51.100.0/24=192.0.2.0/26(0), ESP-203.0.113.1/32=203.0.113.2/32(0) > Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: established peer > 203.0.113.2:500[IPV4/203.0.113.2] local > 203.0.113.1:500[FQDN/vpn00.example.net] policy 'policy1' as initiator > Jun 16 08:16:02 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 1 > INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 > Jun 16 08:16:06 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 2 > INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 > Jun 16 08:16:14 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 3 > INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 > Jun 16 08:16:30 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 4 > INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 > Jun 16 08:17:02 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 5 > INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 > Jun 16 08:18:06 vpn00 iked[31977]: spi=0x3f6d5768feb36565: sa_free: > retransmit limit reached > > On 2020-06-16 02:55, Daniel Ouellet wrote: > > > > Just for the records, I just took a copy of iked version 6.6 and used > > that instead of 6.7 and all is good. I saved the 6.7 version. > > > > gateway# ls -al /sbin/iked* > > -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked > > -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.original > > > > So it's definitely nothing else that is stopping it from working. > > > > Just a new requirement for iked to use this new way and so far I am > > coming short as to how to get this done right. > > As a workaround, that did the trick for me too, thanks for the hint! At > least it is fixed for now. > > Cheers, > -- > Tristan >
