[Swan] Intermittent connection lose

Xinwei Hong xhong at skytap.com
Fri Oct 26 20:56:46 UTC 2018


I collected some more recent log, just emphasize a few here:


2018-10-10T20:30:55.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910:
"vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[176]
y.y.y.y #2254: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
to replace #2234 {using isakmp#2197 msgid:cda1e74c
proposal=AES(12)_128-SHA1(2) pfsgroup=no-pfs}

2018-10-10T20:30:56.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910:
"vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[176]
y.y.y.y #2254: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

2018-10-10T20:30:56.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910:
"vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[176]
y.y.y.y #2254: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xb1fc346e <0xde8594db xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=passive}


>>> 1) previous P2 lifetime(1hr) expired, a new ESP SA(0xb1fc346e) was
negotiated.



2018-10-10T21:16:00.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910:
"vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[178]
y.y.y.y #2266: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}


>>> 2) p1 lifetime expired, a new ISAKMP SA was estabilished.



2018-10-10T21:16:00.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910:
"vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"
#2254: deleting state (STATE_QUICK_I2)

>>> 3) Even though ESP SA is not expired yet, it seems p1 expiration
triggers the system to delete old ESP SA. No new ESP SA is negotiated at
this time because this end uses VNET, connection can only be initialized by
the other end(a Checkpoint device). Somehow, the other end did not
initialize new conn immediately. Looks like the other end still think the
old ESP SA is good and it sends traffic with old ESP. Of course, connection
is down now because of unknown SA.



2018-10-10T21:16:02.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910:
"vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[178]
y.y.y.y #2266: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xb1fc346e)
not found (maybe expired)


>>> 4) After some time, the other end realized (or p2 expired) the SA was
not usable and it asked our end to delete the ESP SA. Of course, our end
cannot find it.


So, my question is: during step 3) above, what should be the correct
behavior based on standards, delete old ESP SA or keep old ESP SA available
for sometime? Shouldn't there be some overlap between two ESP SAs? I know
if there is no p1 renegotiation involves, there will be overlap between old
and new ESP SA.



Thanks,

Xinwei




On Fri, Oct 5, 2018 at 12:27 PM Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 27 Sep 2018, Xinwei Hong wrote:
>
> > I have a VPN which would fail every 8 hours or so, at the time of phase
> 1 IKE expiration. Here is the config file:
> > config setup
>
> I don't see any errors in the logs. But 8h sounds like a lifetime /
> rekey issue. Maybe try default ikelifetime and salifetime values?
> Or set the ikelifetime= shorter than the salifetime ?
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181026/6ce53623/attachment.html>


More information about the Swan mailing list