<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Hi and thank you so much Paul for your answer.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">We were thinking to upgrade it, so we are going to try it. Thanks for the binary compiled, I had just compiled it yesterday but I prefer this way.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Some questions that came to me with the upgrade option,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- Is it still needed to separate the rightsubnets? And do you create them on different files? I have understood that you create them on the same conf file.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- The ikelifetime and salifetime for rekeying is still a problem on version 4.4-1?, I think it is recommended anyway.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Thanks again,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Best Regards!</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El mar, 15 jun 2021 a las 17:40, Paul Wouters (<<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 15 Jun 2021, Miguel Ponce Antolin wrote:<br>
<br>
> I have been suffering a random problem with libreswan v3.25 when connecting an AWS EC2 Instance running Libreswan and a Cisco ASA on the other end.<br>
<br>
Is it possible to test v4.4 ? We have rpms build on <a href="http://download.libreswan.org/binaries/" rel="noreferrer" target="_blank">download.libreswan.org/binaries/</a><br>
<br>
Specifically, with the many subnets you are likely needing this fix from 4.4:<br>
<br>
* IKEv2: Connections would not always switch when needed [Andrew/Paul]<br>
<br>
But the changelog between 3.25 and 4.4 is huge. There might be other<br>
items you need too.<br>
<br>
Alternatively, you can try and split up your subnetS  into different<br>
conns, eg:<br>
<br>
<br>
        conn vpn<br>
            type=tunnel<br>
            authby=secret<br>
            # use auto=ignore, will be read in via also= statements<br>
            auto=ignore<br>
            left=%defaultroute<br>
            leftid=xxx.xxx.xxx.120<br>
            leftsubnets=xxx.xxx.xxx.80/28<br>
            right=xxx.xxx.xxx.45<br>
            rightid=xxx.xxx.xxx.45<br>
            # no rightsubnet= here<br>
            # dont use this with more than one subnet...    leftsourceip=xxx.xxx.xxx.92<br>
            ikev2=insist<br>
            ike=aes256-sha2;dh14<br>
            esp=aes256-sha256<br>
            keyexchange=ike<br>
            ikelifetime=28800s<br>
            salifetime=28800s<br>
            dpddelay=30<br>
            dpdtimeout=120<br>
            dpdaction=restart<br>
            encapsulation=no<br>
<br>
       conn vpn-1<br>
        also=vpn<br>
        auto=start<br>
        rightsubnet=10.subnet.1.0/22<br>
<br>
       conn vpn-2<br>
        also=vpn<br>
        auto=start<br>
        rightsubnet=10.subnet.2.0/20<br>
<br>
       [...]<br>
<br>
       conn vpn-18<br>
        also=vpn<br>
        auto=start<br>
        rightsubnet=10.subnet.18.9/32<br>
<br>
<br>
This uses a slightly different code path to get all the tunnels loaded and active.<br>
<br>
> We tried to "force" to reconnect using the ping command to an IP in various rightsubnets but when the problem is active we continously are seeing this<br>
> kind of logs:<br>
<br>
That would be hacky and not really solve race conditions.<br>
<br>
> Jun 11 11:17:25.795153: "vpn/1x15" #221: message id deadlock? wait sending, add to send next list using parent #165 unacknowledged 1 next message<br>
> id=63 ike exchange window 1<br>
<br>
Note that this is a bit of a concern. You can only have one IKE message<br>
outstanding, and this indicates that the Cisco might not be answering<br>
that outstanding message, and so the only thing libreswan can do is<br>
wait longer or restart _everything_ related to that IKE SA, so that<br>
means all tunnels. We did reduce the change of message id deadlock<br>
some point in the past with our pending() code, so again tetsing<br>
with an upgraded libreswan would be a useful test.<br>
<br>
> Is there any troubleshooting we could do in order to know where the rekey request is lost or why is not trying to rekey at all when this problem is<br>
> active?<br>
<br>
Depending on what the issues are, you can try to ensure either libreswan<br>
or Cisco is always the rekey initiator by tweaking the ikelifetime and<br>
salifetime. Eg try ikelifetime=24h with salifetime=8h and most likely<br>
Cisco will trigger all the rekeys. Or use ikelifetime=2h and<br>
salifetime=1h to make libreswan likely always initiate the rekeys.<br>
<br>
Paul<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>
          <div><div>
          <div><div>
                  <div><div>
                  <div><br>

                    <img alt="Logo Especialidad" src="https://webs.paradigmadigital.com/pd-signature/img/Sistemaschico.png" width="60">

                    <p><strong><span style="margin-top:10px;font-size:17px;color:black">Miguel Ponce Antolín</span><span style="color:rgb(255,69,67);font-size:16px">.</span></strong><br>

                        <span style="font-size:11px;color:black">Sistemas</span>  

                        <span style="font-size:11px;color:black"> ·    +34 670 360 655</span><br>

                        

                        <img style="margin-top: 10px; margin-bottom: 10px;" alt="Linea" src="https://webs.paradigmadigital.com/pd-signature/img/linea.png"><br>

                        <img alt="Logo Paradigma" src="https://webs.paradigmadigital.com/pd-signature/img/logo.png" width="14">  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/" target="_blank"><font size="1">paradig.ma</font></a>  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/contacto" target="_blank"><font size="1">contáctanos</font></a>  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a href="https://twitter.com/paradigmate" target="_blank"><img style="margin-top: 2px;" alt="Twitter" src="https://webs.paradigmadigital.com/pd-signature/img/twitter.png" width="13"></a> 

                        <a href="https://www.youtube.com/user/ParadigmaTe?feature=watch" target="_blank"><img style="margin-top: 2px;" alt="Youtube" src="https://webs.paradigmadigital.com/pd-signature/img/youtube.png" width="13"></a> 

                        <a href="https://www.linkedin.com/company/paradigma-digital/" target="_blank"><img style="margin-top: 2px;" alt="Linkedin" src="https://webs.paradigmadigital.com/pd-signature/img/linkedin.png" width="13"></a> 

                        <a href="https://www.instagram.com/paradigma_digital/?hl=es" target="_blank"><img style="margin-top: 2px;" alt="Instagram" src="https://webs.paradigmadigital.com/pd-signature/img/instagram.png" width="13"></a> 
                    </p>
        </div>
      </div></div>
      </div></div>
      </div></div>
      </div></div></div></div></div></div>