Hi , I formed a site-site tunnel between strongswan and Cisco. R1 ============== R2.
After some time, Strongswan is deleting IKE_SA without sending any notification, which results in rekeying failure with peer. Please find the logs below * Logs* +++++++++++++++++ Jun 28 13:00:52 uxcasxxx charon: 12[IKE] 172.31.114.211 is initiating an IKE_SA Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=IN, ST=TN, L=CH, O=CAS, [email protected]" Jun 28 13:00:52 uxcasxxx charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jun 28 13:00:52 uxcasxxx charon: 12[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500] Jun 28 13:00:52 uxcasxxx charon: 14[NET] received packet: from 172.31.114.211[500] to 172.31.114.227[500] Jun 28 13:00:52 uxcasxxx charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ] Jun 28 13:00:52 uxcasxxx charon: 14[CFG] looking for peer configs matching 172.31.114.227[%any]...172.31.114.211[[email protected]] Jun 28 13:00:52 uxcasxxx charon: 14[CFG] selected peer config 'fqdn_vr' Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of '[email protected]' with pre-shared key successful Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of '172.31.114.227' (myself) with pre-shared key Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting duplicate IKE_SA for peer '[email protected]' due to uniqueness policy Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting IKE_SA fqdn_vr[3] between 172.31.114.227[172.31.114.227]...172.31.114.211[[email protected]] Jun 28 13:00:52 uxcasxxx charon: 14[IKE] sending DELETE for IKE_SA fqdn_vr[3] Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating INFORMATIONAL request 0 [ D ] Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500] *Jun 28 13:00:52 uxcasxxx charon: 14[IKE] IKE_SA fqdn_vr[4] established between 172.31.114.227[172.31.114.227]...172.31.114.211[[email protected]] Jun 28 13:00:52 uxcasxxx charon: 14[IKE] CHILD_SA fqdn_vr{4} established with SPIs c42991a0_i 4f98c63c_o and TS 172.31.114.227/32 === 0.0.0.0/0 Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500] Jun 28 13:00:56 uxcasxxx charon: 13[IKE] retransmit 1 of request with message ID 0 Jun 28 13:00:56 uxcasxxx charon: 13[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500] Jun 28 13:01:04 uxcasxxx charon: 07[IKE] retransmit 2 of request with message ID 0 Jun 28 13:01:04 uxcasxxx charon: 07[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500] Jun 28 13:01:17 uxcasxxx charon: 08[IKE] retransmit 3 of request with message ID 0 Jun 28 13:01:17 uxcasxxx charon: 08[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500] Jun 28 13:01:22 uxcasxxx charon: 10[IKE] destroying IKE_SA in state DELETING without notification* *Conf:* cacert=ikeca_fqdn.crt auto=add config setup plutostart=yes plutodebug=all charonstart=yes charondebug=all nat_traversal=yes crlcheckinterval=10m strictcrlpolicy=no conn %default ikelifetime=1h keylife=2h keyingtries=1 conn fqdn_vr auth=esp type=tunnel keyexchange=ikev2 left=172.31.114.227 right=%any [email protected] rightsubnet=0.0.0.0/0 authby=secret pfs=no rekey=no auto=add ipsec.secrets ++++++++++ 172.31.114.227 [email protected] : PSK "sachinten1" Please provide your inputs on this. Regards, Saravanan N
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
