[Swan-dev] IPsec rekey fron Libreswan not initiated

Balaji Thoguluva tbbalaji at gmail.com
Tue Nov 24 22:20:24 UTC 2020 

Hi Paul,

I tried setting the dpd parameters as suggested shown below.

conn radcert
 ikev2=yes
 left=10.196.175.174
 leftsubnet=10.196.175.174/32
 leftprotoport=17/1812
 right=10.196.176.11
 rightsubnet=10.196.176.11/32
 rightprotoport=17/1812
 auto=ondemand
 ike=aes256-sha256;dh14
 phase2=esp
 phase2alg=aes256-sha1;modp2048
 pfs=yes
 authby=secret
 type=tunnel
 esn=no
 rekey=yes
 salifetime=300s
 ikelifetime=3600s
 dpddelay=30s
 dpdtimeout=60s
 dpdaction=hold

As an FYI, there is no ESP traffic flowing much in the tunnel.

Still the tunnel gets torn down from Libreswan.

2020-11-24T22:07:16.071632+00:00 [localhost] sshd[3367]:
pam_authp(sshd:setcred): pam_sm_setcred: started
2020-11-24T22:07:43.863183+00:00 [localhost] pluto[3151]: "radcert" #2:
Neither IKEv1 nor IKEv2 allowed: ENCRYPT+TUNNEL
2020-11-24T22:12:10.863542+00:00 [localhost] pluto[3151]: "radcert" #2:
deleting state (STATE_V2_IPSEC_I) and sending notification
2020-11-24T22:12:10.863575+00:00 [localhost] pluto[3151]: "radcert" #2: ESP
traffic information: in=73B out=96B
2020-11-24T22:12:10.868489+00:00 [localhost] pluto[3151]: expire unused
parent SA #1 "radcert"
2020-11-24T22:12:10.868521+00:00 [localhost] pluto[3151]: "radcert" #1:
ISAKMP SA expired (LATEST!)
2020-11-24T22:12:10.868525+00:00 [localhost] pluto[3151]: "radcert" #1:
deleting state (STATE_PARENT_I3) and sending notification
2020-11-24T22:12:10.872568+00:00 [localhost] pluto[3151]: packet from
10.196.175.174:500: ISAKMP_v2_INFORMATIONAL message response has no
matching IKE SA
2020-11-24T22:12:10.872582+00:00 [localhost] pluto[3151]: packet from
10.196.175.174:500: ISAKMP_v2_INFORMATIONAL message response has no
matching IKE SA
2020-11-24T22:13:41.983279+00:00 [localhost] sshd[3483]: PAM unable to
resolve symbol: pam_sm_authenticate

Any idea?

Thanks,
Balaji

On Tue, Nov 24, 2020 at 4:28 PM Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 24 Nov 2020, Balaji Thoguluva wrote:
>
> > I am using the below configuration with an intent to do IPsec rekey
> initiated from Libreswan.
> >
> > conn radcert
>
> >         dpddelay=0s
> >         dpdtimeout=0s
> >         dpdaction=hold
>
> don't set these to 0! That means whenever the code checks it deems your
> connection is down.
>
> timeout is time time elapsed for no responses before the tunnel is
> deemed down. RFCs say it should never be less than 60s, but it is
> possible to set this shorter.
>
> delay is the time between probes, if the connection is idle. This should
> also not be too short.
>
> Remember, if your link is busy and congested, if a dpd packet gets
> dropped it counts as failure towards the timeout period. If you
> timeout on a working connection due to congestion, you will have
> a hard time getting the connection up - it will also drop packets
> for the setup of the new tunnel.
>
> Try dpddelay=30s and dpdtimeout=60s
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20201124/1dd43603/attachment-0001.html>

More information about the Swan-dev mailing list