[Shorewall-users] Ikev2 child sa keeps renegotiating

Naveen Neelakanta Tue, 07 May 2019 00:14:24 -0700

Hi Noel,

I am using Ikev2 strongswan after child-sa gets established, I see it
frequently renegotiates and flaps.


Please find the output of ipsec statusall and the captures, let me know if
there is any configuration issue, that i should change.

         sl1:  10.98.102.52...10.10.10.1  IKEv2

         sl1:   local:  [n...@nbn.com] uses pre-shared key authentication

         sl1:   remote: [nbn1@nbn1com] uses pre-shared key authentication

  sl1childsa:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL

Routed Connections:

  sl1childsa{3}:  ROUTED, TUNNEL, reqid 2

  sl1childsa{3}:   0.0.0.0/0 === 0.0.0.0/0

Security Associations (1 up, 0 connecting):

         sl1[4]: ESTABLISHED 23 minutes ago, 10.98.102.52[n...@nbn.com
]...10.10.10.1[n...@nbn1.com]

         sl1[4]: IKEv2 SPIs: e82b151de5866900_i* 5d4c1539efebbda6_r,
rekeying in 7 hours

         sl1[4]: IKE proposal:
AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384

  sl1childsa{1152}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs:
8feba02f_i ba8bc914_o

  sl1childsa{1152}:  AES_CBC_256/HMAC_SHA2_512_256/ECP_384, 0 bytes_i, 0
bytes_o, rekeying in 7 hours

  sl1childsa{1152}:   0.0.0.0/0 === 0.0.0.0/0

  sl1childsa{1153}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs:
68788a94_i e9589137_o

  sl1childsa{1153}:  AES_CBC_256/HMAC_SHA2_512_256/ECP_384, 0 bytes_i, 0
bytes_o, rekeying in 7 hours

  sl1childsa{1153}:   0.0.0.0/0 === 0.0.0.0/0


06:32:54.194712 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  inf2

06:32:54.222655 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  inf2[IR]

06:32:55.445138 IP 10.10.10.1.4500 > 10.98.102.52.4501: UDP-encap:
ESP(spi=0xa91e4f56,seq=0x71), length 152

06:32:55.445360 IP 10.98.102.52.4501 > 10.10.10.1.4500: UDP-encap:
ESP(spi=0x9f584aa3,seq=0x71), length 152

06:32:57.445275 IP 10.10.10.1.4500 > 10.98.102.52.4501: UDP-encap:
ESP(spi=0xa91e4f56,seq=0x72), length 152

06:32:57.445496 IP 10.98.102.52.4501 > 10.10.10.1.4500: UDP-encap:
ESP(spi=0x9f584aa3,seq=0x72), length 152

06:32:59.196318 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  child_sa

06:32:59.279512 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  child_sa[IR]

06:32:59.304809 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  inf2

06:32:59.332502 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  inf2[IR]

06:32:59.445412 IP 10.10.10.1.4500 > 10.98.102.52.4501: UDP-encap:
ESP(spi=0xa8fba64c,seq=0x1), length 152

06:32:59.445619 IP 10.98.102.52.4501 > 10.10.10.1.4500: UDP-encap:
ESP(spi=0xf54165c2,seq=0x1), length 152

06:32:59.893866 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  inf2

06:32:59.967624 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  child_sa[I]

06:32:59.995541 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  inf2[IR]

06:32:59.995844 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  child_sa[R]

06:33:00.894478 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  inf2

06:33:00.967634 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  child_sa[I]

06:33:00.995606 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  inf2[IR]

06:33:00.996718 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  child_sa[R]

06:33:01.445702 IP 10.10.10.1.4500 > 10.98.102.52.4501: UDP-encap:
ESP(spi=0x847f1303,seq=0x1), length 152

06:33:01.445949 IP 10.98.102.52.4501 > 10.10.10.1.4500: UDP-encap:
ESP(spi=0xba6bf65f,seq=0x1), length 152

06:33:01.894059 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  inf2

06:33:01.966663 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  child_sa[I]

06:33:01.994560 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  inf2[IR]

06:33:01.996317 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  child_sa[R]

06:33:02.894200 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  inf2

06:33:02.967545 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  child_sa[I]

06:33:02.995559 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  inf2[IR]

06:33:02.996473 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  child_sa[R]

06:33:03.894243 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  inf2

06:33:03.965564 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  child_sa[I]

06:33:03.986974 IP 10.10.10.1.4500 > 10.98.102.52.4501: NONESP-encap:
isakmp: child_sa  child_sa[R]

06:33:03.993479 IP 10.98.102.52.4501 > 10.10.10.1.4500: NONESP-encap:
isakmp: child_sa  inf2[IR]





strongswan logs :


2019-05-07T07:00:18.093Z inf charon local1         @rCZg2C text:13[IKE]
<sl1|4> CHILD_SA sl1childsa{1636} established with SPIs b919b729_i
c3ddd451_o and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:18.989Z inf charon local1         @vnlQkD text:06[IKE]
<sl1|4> closing CHILD_SA sl1childsa{1635} with SPIs 7edde31d_i (0 bytes)
a5edb126_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:19.004Z inf charon local1         @G2ZywB text:06[IKE]
<sl1|4> establishing CHILD_SA sl1childsa{1637} reqid 2

2019-05-07T07:00:19.094Z inf charon local1         @t8Kt8C text:09[IKE]
<sl1|4> CHILD_SA sl1childsa{1637} established with SPIs 9b044b25_i
92470ab4_o and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:19.990Z inf charon local1         @PK2ABD text:11[IKE]
<sl1|4> closing CHILD_SA sl1childsa{1636} with SPIs b919b729_i (92 bytes)
c3ddd451_o (92 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:20.004Z inf charon local1         @HOsydC text:11[IKE]
<sl1|4> establishing CHILD_SA sl1childsa{1638} reqid 2

2019-05-07T07:00:20.094Z inf charon local1         @Lm-5hC text:12[IKE]
<sl1|4> CHILD_SA sl1childsa{1638} established with SPIs 8b8521e2_i
895effb0_o and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:20.990Z inf charon local1         @XhouIC text:06[IKE]
<sl1|4> closing CHILD_SA sl1childsa{1637} with SPIs 9b044b25_i (0 bytes)
92470ab4_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:21.004Z inf charon local1         @10KAuB text:06[IKE]
<sl1|4> establishing CHILD_SA sl1childsa{1639} reqid 2

2019-05-07T07:00:21.097Z inf charon local1         @TcXRjC text:13[IKE]
<sl1|4> CHILD_SA sl1childsa{1639} established with SPIs 9a1a3ac9_i
d458d320_o and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:21.991Z inf charon local1         @OQLIJD text:05[IKE]
<sl1|4> closing CHILD_SA sl1childsa{1638} with SPIs 8b8521e2_i (92 bytes)
895effb0_o (92 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0

2019-05-07T07:00:22.005Z inf charon local1         @9QUe9 text:05[IKE]
<sl1|4> establishing CHILD_SA sl1childsa{1640} reqid 2

2019-05-07T07:00:22.099Z inf charon local1         @Gf_DFD text:04[IKE]
<sl1|4> CHILD_SA sl1childsa{1640} established with SPIs 849e8274_i
fdcf028a_o and TS 0.0.0.0/0 === 0.0.0.0/0




Kindly help me figure out this issue.


Thanks,

Naveen

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Ikev2 child sa keeps renegotiating

Reply via email to