[Swan] SA lifetime duration
Kostya Vasilyev
kman at fastmail.com
Mon Feb 11 17:56:59 UTC 2019
On Mon, Feb 11, 2019, at 8:40 PM, Kostya Vasilyev wrote:
> Hello,
>
> I've got a strange, well, not sure if it's a problem, more of a question.
>
> My setup is Mikrtoik router client <-> libreswan server on Debian, IKEv1
> with certificate auth.
>
> Usually, watching SAs in Mikrtoik web UI and "ipsec status", there is a
> tendency to have 4 or even 6 SA's and for them to rotate / expire a few
> times a day.
>
> Now since maybe two days, I only got one pair of SAs - and it continues
> to accumulate more and more traffic stats in Mikrotik UI - that's how I
> know it's the same pair.
>
> On the server side I get messages like these from time to time:
>
> Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: responding to Main Mode
> Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: STATE_MAIN_R1: sent MR1,
> expecting MI2
> Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: sent MR2,
> expecting MI3
> Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2:
> retransmission; will wait 0.5 seconds for response
> Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: Peer ID is ID_DER_ASN1_DN:
> 'C=RU, L=Moscow, O=NewTunnel, OU=ac2'
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: certificate verified OK:
> OU=ac2,O=NewTunnel,L=Moscow,C=RU
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: Authenticated using RSA
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: I am sending my cert
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: STATE_MAIN_R3: sent MR3,
> ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_128
> integ=HMAC_SHA2_256 group=MODP2048}
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: retransmitting in response
> to duplicate packet; already STATE_MAIN_R3
> Feb 11 20:22:21 pluto[4767]: "mytunnel" #299: deleting state
> (STATE_MAIN_I4) and sending notification
>
>
> 000 Total IPsec connections: loaded 1, active 1
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE
> connections
> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1),
> anonymous(0)
> 000 IPsec SAs: total(1), authenticated(1), anonymous(0)
> 000
> 000 #290: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 841s; newest IPSEC; eroute owner;
> isakmp#289; idle;
> 000 #290: "mytunnel" esp.a76f21d at 89.0.0.1 esp.366391ef at 139.0.0.1 ref=0
> refhim=0 Traffic: ESPin=544KB ESPout=23MB! ESPmax=4194303B
> 000 #300: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 1661s; newest ISAKMP; lastdpd=17s(seq
> in:25740 out:0); idle;
>
> Now my question:
>
> Is this, like, normal? For a single pair of SA's to be used over such
> long time (days) and not be rotated?
>
> I thought (mistakenly) that SA's get replaced and part of rekeying process?
>
> Does this perhaps just mean that my Internet connection is more stable
> than before?
And just as I sent the above, there is a new pair of SA's - and a whole new connection (#301)?
Feb 11 20:52:20 pluto[4767]: "mytunnel" #301: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #290 {using isakmp#300 msgid:9da23ca9 proposal=AES_CBC_128-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
Feb 11 20:52:21 pluto[4767]: "mytunnel" #301: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0ae5a560 <0x6ad1c975 xfrm=AES_CBC_128-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=active}
000 #290: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 496s; isakmp#289; idle;
000 #290: "mytunnel" esp.a76f21d at 89.0.0.1 esp.366391ef at 139.0.0.1 ref=0 refhim=0 Traffic: ESPin=553KB ESPout=23MB! ESPmax=4194303B
000 #300: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 708s; newest ISAKMP; lastdpd=10s(seq in:25763 out:0); idle;
000 #301: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28023s; newest IPSEC; eroute owner; isakmp#300; idle;
000 #301: "mytunnel" esp.ae5a560 at 89.0.0.1 esp.6ad1c975 at 139.0.0.1 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
I know the old pair of SA's will expire in a while - and that traffic is using the new pair already.
But I'm still curious - what is going on?
Why are SA's replaced sometimes fast, sometimes slow?
Is there an connectivity issue between the client and the server?
Maybe they (client / server) can't agree on some sort of refresh interval?
Something else?
-- K
More information about the Swan
mailing list