Re: IKEv2 difference with 6.7

Tue, 16 Jun 2020 11:53:22 -0700 

Hi guys,

First of all, thanks for the amazing work you've done with 6.7!
That said, I've got the same issue here after I updated to 6.7. The VPN keeps cutting off every 10 minutes or so. Is there any way I could fix that ? 

Here's my configuration:

local_gw="203.0.113.1"
local_network="198.51.100.0/24"

remote_gw="203.0.113.2"
remote_network="192.0.2.0/26"
remote_network2="192.0.2.64/26"

ikev2 active esp \
    from $local_gw to $remote_gw \
    from $local_network to $remote_network \
    from $local_network to $remote_network2 \
    peer $remote_gw \
    ikesa enc aes-128 auth hmac-sha1 prf hmac-sha1 group modp1536 \
    childsa auth hmac-sha1 enc aes-128 group modp1536 \
    ikelifetime 86400 lifetime 43200 \
    psk "XXXXXXXXXXXXXXXXX"

That's what I can see in the logs:
Jun 16 08:07:00 vpn00 iked[31977]: ikev2_init_ike_sa: initiating "policy1" Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: send IKE_SA_INIT req 0 peer 203.0.113.2:500 local 0.0.0.0:500, 382 bytes Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: recv IKE_SA_INIT res 0 peer 203.0.113.2:500 local 203.0.113.1:500, 352 bytes, policy 'policy1' Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: send IKE_AUTH req 1 peer 203.0.113.2:4500 local 203.0.113.1:4500, 284 bytes, NAT-T Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: recv IKE_AUTH res 1 peer 203.0.113.2:4500 local 203.0.113.1:4500, 252 bytes, policy 'policy1' Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: ikev2_childsa_enable: loaded SPIs: 0xae51c8bb, 0x3ab61433 Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: ikev2_childsa_enable: loaded flows: ESP-198.51.100.0/24=192.0.2.64/26(0), ESP-198.51.100.0/24=192.0.2.0/26(0), ESP-203.0.113.1/32=203.0.113.2/32(0) Jun 16 08:07:00 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: established peer 203.0.113.2:4500[IPV4/203.0.113.2] local 203.0.113.1:4500[FQDN/vpn00.example.net] policy 'policy1' as initiator Jun 16 08:12:02 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 1 INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 Jun 16 08:12:06 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 2 INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 Jun 16 08:12:14 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 3 INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 Jun 16 08:12:30 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 4 INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 Jun 16 08:13:02 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: retransmit 5 INFORMATIONAL req 2 peer 203.0.113.2:4500 local 203.0.113.1:4500 Jun 16 08:14:06 vpn00 iked[31977]: spi=0x462d6a0792f85aa5: sa_free: retransmit limit reached Jun 16 08:15:00 vpn00 iked[31977]: ikev2_init_ike_sa: initiating "policy1" Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: send IKE_SA_INIT req 0 peer 203.0.113.2:500 local 0.0.0.0:500, 382 bytes Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: recv IKE_SA_INIT res 0 peer 203.0.113.2:500 local 203.0.113.1:500, 352 bytes, policy 'policy1' Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: send IKE_AUTH req 1 peer 203.0.113.2:500 local 203.0.113.1:500, 284 bytes Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: recv IKE_AUTH res 1 peer 203.0.113.2:500 local 203.0.113.1:500, 252 bytes, policy 'policy1' Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: ikev2_childsa_enable: loaded SPIs: 0xae51c8bd, 0x7009bc39 Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: ikev2_childsa_enable: loaded flows: ESP-198.51.100.0/24=192.0.2.64/26(0), ESP-198.51.100.0/24=192.0.2.0/26(0), ESP-203.0.113.1/32=203.0.113.2/32(0) Jun 16 08:15:00 vpn00 iked[31977]: spi=0x3f6d5768feb36565: established peer 203.0.113.2:500[IPV4/203.0.113.2] local 203.0.113.1:500[FQDN/vpn00.example.net] policy 'policy1' as initiator Jun 16 08:16:02 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 1 INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 Jun 16 08:16:06 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 2 INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 Jun 16 08:16:14 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 3 INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 Jun 16 08:16:30 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 4 INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 Jun 16 08:17:02 vpn00 iked[31977]: spi=0x3f6d5768feb36565: retransmit 5 INFORMATIONAL req 2 peer 203.0.113.2:500 local 203.0.113.1:500 Jun 16 08:18:06 vpn00 iked[31977]: spi=0x3f6d5768feb36565: sa_free: retransmit limit reached 

On 2020-06-16 02:55, Daniel Ouellet wrote:


Just for the records, I just took a copy of iked version 6.6 and used
that instead of 6.7 and all is good. I saved the 6.7 version.

gateway# ls -al /sbin/iked*
-r-xr-xr-x  1 root  bin  436584 Jun 15 20:42 /sbin/iked
-r-xr-xr-x  1 root  bin  448744 May  7 12:52 /sbin/iked.original

So it's definitely nothing else that is stopping it from working.

Just a new requirement for iked to use this new way and so far I am
coming short as to how to get this done right.
As a workaround, that did the trick for me too, thanks for the hint! At least it is fixed for now. 

Cheers,
--
Tristan

Reply via email to