[Swan] SA lifetime duration

Kostya Vasilyev kman at fastmail.com
Mon Feb 11 17:56:59 UTC 2019 

On Mon, Feb 11, 2019, at 8:40 PM, Kostya Vasilyev wrote:
> Hello,
> 
> I've got a strange, well, not sure if it's a problem, more of a question.
> 
> My setup is Mikrtoik router client <-> libreswan server on Debian, IKEv1 
> with certificate auth.
> 
> Usually, watching SAs in Mikrtoik web UI and "ipsec status", there is a 
> tendency to have 4 or even 6 SA's and for them to rotate / expire a few 
> times a day.
> 
> Now since maybe two days, I only got one pair of SAs - and it continues 
> to accumulate more and more traffic stats in Mikrotik UI - that's how I 
> know it's the same pair.
> 
> On the server side I get messages like these from time to time:
> 
> Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: responding to Main Mode
> Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: STATE_MAIN_R1: sent MR1, 
> expecting MI2
> Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: sent MR2, 
> expecting MI3
> Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: 
> retransmission; will wait 0.5 seconds for response
> Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: Peer ID is ID_DER_ASN1_DN: 
> 'C=RU, L=Moscow, O=NewTunnel, OU=ac2'
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: certificate verified OK: 
> OU=ac2,O=NewTunnel,L=Moscow,C=RU
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: Authenticated using RSA
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: I am sending my cert
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: STATE_MAIN_R3: sent MR3, 
> ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_128 
> integ=HMAC_SHA2_256 group=MODP2048}
> Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: retransmitting in response 
> to duplicate packet; already STATE_MAIN_R3
> Feb 11 20:22:21 pluto[4767]: "mytunnel" #299: deleting state 
> (STATE_MAIN_I4) and sending notification
> 
> 
> 000 Total IPsec connections: loaded 1, active 1
> 000  
> 000 State Information: DDoS cookies not required, Accepting new IKE 
> connections
> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), 
> anonymous(0)
> 000 IPsec SAs: total(1), authenticated(1), anonymous(0)
> 000  
> 000 #290: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_REPLACE in 841s; newest IPSEC; eroute owner; 
> isakmp#289; idle;
> 000 #290: "mytunnel" esp.a76f21d at 89.0.0.1 esp.366391ef at 139.0.0.1 ref=0 
> refhim=0 Traffic: ESPin=544KB ESPout=23MB! ESPmax=4194303B 
> 000 #300: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
> established); EVENT_SA_REPLACE in 1661s; newest ISAKMP; lastdpd=17s(seq 
> in:25740 out:0); idle;
> 
> Now my question:
> 
> Is this, like, normal? For a single pair of SA's to be used over such 
> long time (days) and not be rotated?
> 
> I thought (mistakenly) that SA's get replaced and part of rekeying process?
> 
> Does this  perhaps just mean that my Internet connection is more stable 
> than before?

And just as I sent the above, there is a new pair of SA's - and a whole new connection (#301)?

Feb 11 20:52:20 pluto[4767]: "mytunnel" #301: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #290 {using isakmp#300 msgid:9da23ca9 proposal=AES_CBC_128-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
Feb 11 20:52:21 pluto[4767]: "mytunnel" #301: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0ae5a560 <0x6ad1c975 xfrm=AES_CBC_128-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=active}

000 #290: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 496s; isakmp#289; idle;
000 #290: "mytunnel" esp.a76f21d at 89.0.0.1 esp.366391ef at 139.0.0.1 ref=0 refhim=0 Traffic: ESPin=553KB ESPout=23MB! ESPmax=4194303B 
000 #300: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 708s; newest ISAKMP; lastdpd=10s(seq in:25763 out:0); idle;
000 #301: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28023s; newest IPSEC; eroute owner; isakmp#300; idle;
000 #301: "mytunnel" esp.ae5a560 at 89.0.0.1 esp.6ad1c975 at 139.0.0.1 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 

I know the old pair of SA's will expire in a while - and that traffic is using the new pair already.

But I'm still curious - what is going on?

Why are SA's replaced sometimes fast, sometimes slow?

Is there an connectivity issue between the client and the server?

Maybe they (client / server) can't agree on some sort of refresh interval?

Something else?

-- K

More information about the Swan mailing list