Project

General

Profile

Actions

Bug #7439

closed

IKE_SA (IKEv2) does not rekey on break before make startegy, just issues IKE_DELETE and connection is closed

Added by Reinis Adovics over 7 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
High
Category:
IPsec
Target version:
-
Start date:
03/31/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4
Affected Architecture:
amd64

Description

2.4.0-BETA-amd64-20170228-0411

Both MSW 10 and macOS 10.12 does not rekey IKE_SA on break-before-make startegy (and I'm not trying nor wanting make-before-break startegy).

Settings in GUI

DNS Resolver
Added IKEv2 MYIKECLASSBNET/24 to access lists

Certs
CA
Server cert
User with cert

VPN > IPsec > Mobile clients

IKE Extensions: Y
User Authentification: Local DB
Group authentification: none
Virtual Address Pool: Y (/24 network besides my Class B LAN)
Virtual IPv6 Address Pool: N
Network List: Y
Save Xauth Password: N
DNS Default Domain: Y (same as system domain)
Split DNS: N
DNS Servers: Y (pfSense IP)
WINS Servers: N
Phase2 PFS Group: N
Login Banner: N

VPN > IPsec > Pre-Shared Keys

Does not apply

VPN > IPsec > Advanced settings

Configure Unique IDs as: Y
IP Compression: N
Strict interface binding: N
Unencrypted payloads in IKEv1 Main Mode: N
Enable Maximum MSS: N
Enable Cisco Extensions: N
Strict CRL Checking: N
Make before Break: N (thus we are using break-before-make!)
Auto-exclude LAN address: Y

VPN > IPsec > Tunnels > Phase 1

Disabled: N
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN
Description: IKEv2 Phase 1 test
Authentication Method: EAP-TLS
My identifier: Distinguished name (DNS name of router)
Peer identifier: Any
My Certificate: corresponding server cert
Peer Certificate Authority: corresponding ca
Encryption Algorithm: AES-256
Hash Algorithm: SHA384
DH Group: 20 (ecp384)
Lifetime (Seconds): 28800
Disable rekey: N
Disable Reauth: N
Responder Only: N
MOBIKE: Enable
Split connections: N
Dead Peer Detection: Y
Delay: 10
Max faulures: 5

VPN > IPsec > Tunnels > Phase 2

Disabled: N
Mode: Nunnel IPv4
Local network: Network 0.0.0.0/0
NAT/BINAT translation: None
Description: IKEv2 Phase 2 test
Protocol: ESP
Encryption Algorithms: AES-256
Hash Algorithms: SHA256
PSF key group: 20 (ecp384)
Lifetime: 3600 seconds
Automatically ping host: null

Firewall

IPsec pass.

Config file inspection

/var/etc/ipsec/ipsec.conf

# This file is automatically generated. Do not edit
config setup
    uniqueids = yes

conn bypasslan
    leftsubnet = MYCLASSBNET/21
    rightsubnet = MYCLASSBNET/21
    authby = never
    type = passthrough
    auto = route

conn con1
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = yes

    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = clear
    dpddelay = 10s
    dpdtimeout = 60s
    auto = add
    left = 192.168.10.100
    right = %any
    leftid = fqdn:XXXX
    ikelifetime = 28800s
    lifetime = 3600s
    rightsourceip = MYIKECLASSBNET/24
    ike = aes256-sha384-ecp384!
    esp = aes256-sha256-ecp384!
    eap_identity=%identity
    leftauth=pubkey
    rightauth=eap-tls
    leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
    leftsendcert=always
    rightca="/C=LV/ST=Riga/L=Riga/O=WARP/emailAddress=XXXXX/CN=XXXXX/“
    leftsubnet = 0.0.0.0/0

/var/etc/ipsec/strongswan.conf

# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
starter {
    load_warning = no
    config_file = /var/etc/ipsec/ipsec.conf
}

charon {
# number of worker threads in charon
    threads = 16
    ikesa_table_size = 32
    ikesa_table_segments = 4
    init_limit_half_open = 1000
    install_routes = no
    load_modular = yes
    ignore_acquire_ts = yes

    cisco_unity = no

    syslog {
        identifier = charon
        # log everything under daemon since it ends up in the same place regardless with our syslog.conf
        daemon {
            ike_name = yes
            dmn = 1
            mgr = 1
            ike = 2
            chd = 2
            job = 1
            cfg = 2
            knl = 1
            net = 1
            asn = 1
            enc = 1
            imc = 1
            imv = 1
            pts = 1
            tls = 1
            esp = 1
            lib = 1

        }
        # disable logging under auth so logs aren't duplicated
        auth {
            default = -1
        }
    }

    plugins {
        # Load defaults
        include /var/etc/ipsec/strongswan.d/charon/*.conf

        stroke {
            secrets_file = /var/etc/ipsec/ipsec.secrets
        }

        unity {
            load = no
        }
        attr {
            dns = 172.23.160.1
            subnet = 0.0.0.0/0
            split-include = 0.0.0.0/0
            # Search domain and default domain
            28674 = "warp" 
            28675 = "warp" 
        }
        xauth-generic {
            script = /etc/inc/ipsec.auth-user.php
            authcfg = Local Database
        }

    }
}

/usr/local/etc/swanctl/swanctl.conf

# Section defining IKE connection configurations.
# connections {

    # Section for an IKE connection named <conn>.
    # <conn> {

        # IKE major version to use for connection.
        # version = 0

        # Local address(es) to use for IKE communication, comma separated.
        # local_addrs = %any

        # Remote address(es) to use for IKE communication, comma separated.
        # remote_addrs = %any

        # Local UDP port for IKE communication.
        # local_port = 500

        # Remote UDP port for IKE communication.
        # remote_port = 500

        # Comma separated proposals to accept for IKE.
        # proposals = default

        # Virtual IPs to request in configuration payload / Mode Config.
        # vips =

        # Use Aggressive Mode in IKEv1.
        # aggressive = no

        # Set the Mode Config mode to use.
        # pull = yes

        # Enforce UDP encapsulation by faking NAT-D payloads.
        # encap = no

        # Enables MOBIKE on IKEv2 connections.
        # mobike = yes

        # Interval of liveness checks (DPD).
        # dpd_delay = 0s

        # Timeout for DPD checks (IKEV1 only).
        # dpd_timeout = 0s

        # Use IKE UDP datagram fragmentation.  (yes, no or force).
        # fragmentation = yes

        # Send certificate requests payloads (yes or no).
        # send_certreq = yes

        # Send certificate payloads (always, never or ifasked).
        # send_cert = ifasked

        # Number of retransmission sequences to perform during initial connect.
        # keyingtries = 1

        # Connection uniqueness policy (never, no, keep or replace).
        # unique = no

        # Time to schedule IKE reauthentication.
        # reauth_time = 0s

        # Time to schedule IKE rekeying.
        # rekey_time = 4h

        # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
        # over_time = 10% of rekey_time/reauth_time

        # Range of random time to subtract from rekey/reauth times.
        # rand_time = over_time

        # Comma separated list of named IP pools.
        # pools =

        # Section for a local authentication round.
        # local<suffix> {

            # Optional numeric identifier by which authentication rounds are
            # sorted.  If not specified rounds are ordered by their position in
            # the config file/VICI message.
            # round = 0

            # Comma separated list of certificate candidates to use for
            # authentication.
            # certs =

            # Comma separated list of raw public key candidates to use for
            # authentication.
            # pubkeys =

            # Authentication to perform locally (pubkey, psk, xauth[-backend] or
            # eap[-method]).
            # auth = pubkey

            # IKE identity to use for authentication round.
            # id =

            # Client EAP-Identity to use in EAP-Identity exchange and the EAP
            # method.
            # eap_id = id

            # Server side EAP-Identity to expect in the EAP method.
            # aaa_id = remote-id

            # Client XAuth username used in the XAuth exchange.
            # xauth_id = id

        # }

        # Section for a remote authentication round.
        # remote<suffix> {

            # Optional numeric identifier by which authentication rounds are
            # sorted.  If not specified rounds are ordered by their position in
            # the config file/VICI message.
            # round = 0

            # IKE identity to expect for authentication round.
            # id = %any

            # Authorization group memberships to require.
            # groups =

            # Comma separated list of certificate to accept for authentication.
            # certs =

            # Comma separated list of CA certificates to accept for
            # authentication.
            # cacerts =

            # Comma separated list of raw public keys to accept for
            # authentication.
            # pubkeys =

            # Certificate revocation policy, (strict, ifuri or relaxed).
            # revocation = relaxed

            # Authentication to expect from remote (pubkey, psk, xauth[-backend]
            # or eap[-method]).
            # auth = pubkey

        # }

        # children {

            # CHILD_SA configuration sub-section.
            # <child> {

                # AH proposals to offer for the CHILD_SA.
                # ah_proposals =

                # ESP proposals to offer for the CHILD_SA.
                # esp_proposals = default

                # Local traffic selectors to include in CHILD_SA.
                # local_ts = dynamic

                # Remote selectors to include in CHILD_SA.
                # remote_ts = dynamic

                # Time to schedule CHILD_SA rekeying.
                # rekey_time = 1h

                # Maximum lifetime before CHILD_SA gets closed, as time.
                # life_time = rekey_time + 10%

                # Range of random time to subtract from rekey_time.
                # rand_time = life_time - rekey_time

                # Number of bytes processed before initiating CHILD_SA rekeying.
                # rekey_bytes = 0

                # Maximum bytes processed before CHILD_SA gets closed.
                # life_bytes = rekey_bytes + 10%

                # Range of random bytes to subtract from rekey_bytes.
                # rand_bytes = life_bytes - rekey_bytes

                # Number of packets processed before initiating CHILD_SA
                # rekeying.
                # rekey_packets = 0

                # Maximum number of packets processed before CHILD_SA gets
                # closed.
                # life_packets = rekey_packets + 10%

                # Range of random packets to subtract from packets_bytes.
                # rand_packets = life_packets - rekey_packets

                # Updown script to invoke on CHILD_SA up and down events.
                # updown =

                # Hostaccess variable to pass to updown script.
                # hostaccess = yes

                # IPsec Mode to establish (tunnel, transport, beet, pass or
                # drop).
                # mode = tunnel

                # Whether to install IPsec policies or not.
                # policies = yes

                # Whether to install outbound FWD IPsec policies or not.
                # policies_fwd_out = no

                # Action to perform on DPD timeout (clear, trap or restart).
                # dpd_action = clear

                # Enable IPComp compression before encryption.
                # ipcomp = no

                # Timeout before closing CHILD_SA after inactivity.
                # inactivity = 0s

                # Fixed reqid to use for this CHILD_SA.
                # reqid = 0

                # Optional fixed priority for IPsec policies.
                # priority = 0

                # Optional interface name to restrict IPsec policies.
                # interface =

                # Netfilter mark and mask for input traffic.
                # mark_in = 0/0x00000000

                # Netfilter mark and mask for output traffic.
                # mark_out = 0/0x00000000

                # Traffic Flow Confidentiality padding.
                # tfc_padding = 0

                # IPsec replay window to configure for this CHILD_SA.
                # replay_window = 32

                # Action to perform after loading the configuration (none, trap,
                # start).
                # start_action = none

                # Action to perform after a CHILD_SA gets closed (none, trap,
                # start).
                # close_action = none

            # }

        # }

    # }

# }

# Section defining secrets for IKE/EAP/XAuth authentication and private key
# decryption.
# secrets {

    # EAP secret section for a specific secret.
    # eap<suffix> {

        # Value of the EAP/XAuth secret.
        # secret =

        # Identity the EAP/XAuth secret belongs to.
        # id<suffix> =

    # }

    # XAuth secret section for a specific secret.
    # xauth<suffix> {

    # }

    # IKE preshared secret section for a specific secret.
    # ike<suffix> {

        # Value of the IKE preshared secret.
        # secret =

        # IKE identity the IKE preshared secret belongs to.
        # id<suffix> =

    # }

    # Private key decryption passphrase for a key in the private folder.
    # private<suffix> {

        # File name in the private folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for private key.
        # secret =

    # }

    # Private key decryption passphrase for a key in the rsa folder.
    # rsa<suffix> {

        # File name in the rsa folder for which this passphrase should be used.
        # file =

        # Value of decryption passphrase for RSA key.
        # secret =

    # }

    # Private key decryption passphrase for a key in the ecdsa folder.
    # ecdsa<suffix> {

        # File name in the ecdsa folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for ECDSA key.
        # secret =

    # }

    # Private key decryption passphrase for a key in the pkcs8 folder.
    # pkcs8<suffix> {

        # File name in the pkcs8 folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for PKCS#8 key.
        # secret =

    # }

    # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
    # pkcs12<suffix> {

        # File name in the pkcs12 folder for which this passphrase should be
        # used.
        # file =

        # Value of decryption passphrase for PKCS#12 container.
        # secret =

    # }

# }

# Section defining named pools.
# pools {

    # Section defining a single pool with a unique name.
    # <name> {

        # Addresses allocated in pool.
        # addrs =

        # Comma separated list of additional attributes from type <attr>.
        # <attr> =

    # }

# }

# Section defining attributes of certification authorities.
# authorities {

    # Section defining a certification authority with a unique name.
    # <name> {

        # CA certificate belonging to the certification authority.
        # cacert =

        # Comma-separated list of CRL distribution points
        # crl_uris =

        # Comma-separated list of OCSP URIs
        # ocsp_uris =

        # Defines the base URI for the Hash and URL feature supported by IKEv2.
        # cert_uri_base =

    # }

# }

/usr/local/etc/strongswan.d/swanctl.conf

swanctl {

    # Plugins to load in swanctl.
    # load =

}

Logs

On macOS session was started on Mar 29 16:20:02

Throughout connection it repeats DPD sucessfully, many times

Mar 29 16:41:12     charon          01[IKE] <con1|49> nothing to initiate
Mar 29 16:41:12     charon          01[IKE] <con1|49> activating new tasks
Mar 29 16:41:12     charon          01[ENC] <con1|49> parsed INFORMATIONAL response 32 [ ]
Mar 29 16:41:12     charon          01[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Mar 29 16:41:12     charon          01[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 29 16:41:12     charon          01[ENC] <con1|49> generating INFORMATIONAL request 32 [ ]
Mar 29 16:41:12     charon          01[IKE] <con1|49> activating IKE_DPD task
Mar 29 16:41:12     charon          01[IKE] <con1|49> activating new tasks
Mar 29 16:41:12     charon          01[IKE] <con1|49> queueing IKE_DPD task
Mar 29 16:41:12     charon          01[IKE] <con1|49> sending DPD request

On 17:06 it rekeyed child

Mar 29 17:06:05     charon          05[IKE] <con1|49> nothing to initiate
Mar 29 17:06:05     charon          05[IKE] <con1|49> activating new tasks
Mar 29 17:06:05     charon          05[KNL] <con1|49> unable to delete SAD entry with SPI 0be310f0: No such file or directory (2)
Mar 29 17:06:05     charon          05[IKE] <con1|49> CHILD_SA closed
Mar 29 17:06:05     charon          05[IKE] <con1|49> received DELETE for ESP CHILD_SA with SPI 0be310f0
Mar 29 17:06:05     charon          05[ENC] <con1|49> parsed INFORMATIONAL response 39 [ D ]
Mar 29 17:06:05     charon          05[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Mar 29 17:06:05     charon          10[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 29 17:06:05     charon          10[ENC] <con1|49> generating INFORMATIONAL request 39 [ D ]
Mar 29 17:06:05     charon          10[IKE] <con1|49> sending DELETE for ESP CHILD_SA with SPI cce61ffb
Mar 29 17:06:05     charon          10[IKE] <con1|49> closing CHILD_SA con1{669} with SPIs cce61ffb_i (7759579923 bytes) 0be310f0_o (443892856 bytes) and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 17:06:05     charon          10[IKE] <con1|49> CHILD_REKEY task
Mar 29 17:06:05     charon          10[IKE] <con1|49> reinitiating already active tasks
Mar 29 17:06:05     charon          10[IKE] <con1|49> CHILD_SA con1{670} established with SPIs cbd4ab9c_i 0af54a92_o and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 17:06:05     charon          10[CHD] <con1|49> SPI 0x0af54a92, src 192.168.10.100 dst 192.168.10.121
Mar 29 17:06:05     charon          10[CHD] <con1|49> adding outbound ESP SA
Mar 29 17:06:05     charon          10[CHD] <con1|49> SPI 0xcbd4ab9c, src 192.168.10.121 dst 192.168.10.100
Mar 29 17:06:05     charon          10[CHD] <con1|49> adding inbound ESP SA
Mar 29 17:06:05     charon          10[CHD] <con1|49> using HMAC_SHA2_256_128 for integrity
Mar 29 17:06:05     charon          10[CHD] <con1|49> using AES_CBC for encryption
Mar 29 17:06:05     charon          10[CFG] <con1|49> config: 172.23.152.1/32|/0, received: 172.23.152.1/32|/0 => match: 172.23.152.1/32|/0
Mar 29 17:06:05     charon          10[CFG] <con1|49> selecting traffic selectors for other:
Mar 29 17:06:05     charon          10[CFG] <con1|49> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Mar 29 17:06:05     charon          10[CFG] <con1|49> selecting traffic selectors for us:
Mar 29 17:06:05     charon          10[CFG] <con1|49> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05     charon          10[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05     charon          10[CFG] <con1|49> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05     charon          10[CFG] <con1|49> proposal matches
Mar 29 17:06:05     charon          10[CFG] <con1|49> selecting proposal:
Mar 29 17:06:05     charon          10[ENC] <con1|49> parsed CREATE_CHILD_SA response 38 [ SA No KE TSi TSr ]
Mar 29 17:06:05     charon          10[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (312 bytes)
Mar 29 17:06:05     charon          10[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (344 bytes)
Mar 29 17:06:05     charon          10[ENC] <con1|49> generating CREATE_CHILD_SA request 38 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Mar 29 17:06:05     charon          10[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05     charon          10[CFG] <con1|49> 172.23.152.1/32|/0
Mar 29 17:06:05     charon          10[CFG] <con1|49> proposing traffic selectors for other:
Mar 29 17:06:05     charon          10[CFG] <con1|49> 0.0.0.0/0|/0
Mar 29 17:06:05     charon          10[CFG] <con1|49> proposing traffic selectors for us:
Mar 29 17:06:05     charon          10[IKE] <con1|49> establishing CHILD_SA con1{132}
Mar 29 17:06:05     charon          10[IKE] <con1|49> activating CHILD_REKEY task
Mar 29 17:06:05     charon          10[IKE] <con1|49> activating new tasks
Mar 29 17:06:05     charon          10[IKE] <con1|49> queueing CHILD_REKEY task
Mar 29 17:06:05     charon          14[KNL] creating rekey job for CHILD_SA ESP/0xcce61ffb/192.168.10.100

Every 10 minutes informational request is sent

Mar 29 20:10:52     charon          14[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 29 20:10:52     charon          14[ENC] <con1|49> generating INFORMATIONAL response 33 [ ]
Mar 29 20:10:52     charon          14[ENC] <con1|49> parsed INFORMATIONAL request 33 [ ]
Mar 29 20:10:52     charon          14[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)

Yet another (one of) succesful child rekey many hours later

Mar 29 20:48:03     charon          07[IKE] <con1|49> nothing to initiate
Mar 29 20:48:03     charon          07[IKE] <con1|49> activating new tasks
Mar 29 20:48:03     charon          07[KNL] <con1|49> unable to delete SAD entry with SPI 0ec920e6: No such file or directory (2)
Mar 29 20:48:03     charon          07[IKE] <con1|49> CHILD_SA closed
Mar 29 20:48:03     charon          07[IKE] <con1|49> received DELETE for ESP CHILD_SA with SPI 0ec920e6
Mar 29 20:48:03     charon          07[ENC] <con1|49> parsed INFORMATIONAL response 49 [ D ]
Mar 29 20:48:03     charon          07[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Mar 29 20:48:02     charon          07[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 29 20:48:02     charon          07[ENC] <con1|49> generating INFORMATIONAL request 49 [ D ]
Mar 29 20:48:02     charon          07[IKE] <con1|49> sending DELETE for ESP CHILD_SA with SPI c1b173c9
Mar 29 20:48:02     charon          07[IKE] <con1|49> closing CHILD_SA con1{674} with SPIs c1b173c9_i (29869507222 bytes) 0ec920e6_o (0 bytes) and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 20:48:02     charon          07[KNL] <con1|49> unable to query SAD entry with SPI 0ec920e6: No such file or directory (2)
Mar 29 20:48:02     charon          07[IKE] <con1|49> CHILD_REKEY task
Mar 29 20:48:02     charon          07[IKE] <con1|49> reinitiating already active tasks
Mar 29 20:48:02     charon          07[KNL] <con1|49> unable to query SAD entry with SPI 0ec920e6: No such file or directory (2)
Mar 29 20:48:02     charon          07[IKE] <con1|49> CHILD_SA con1{675} established with SPIs c791946c_i 02777737_o and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 20:48:02     charon          07[CHD] <con1|49> SPI 0x02777737, src 192.168.10.100 dst 192.168.10.121
Mar 29 20:48:02     charon          07[CHD] <con1|49> adding outbound ESP SA
Mar 29 20:48:02     charon          07[CHD] <con1|49> SPI 0xc791946c, src 192.168.10.121 dst 192.168.10.100
Mar 29 20:48:02     charon          07[CHD] <con1|49> adding inbound ESP SA
Mar 29 20:48:02     charon          07[CHD] <con1|49> using HMAC_SHA2_256_128 for integrity
Mar 29 20:48:02     charon          07[CHD] <con1|49> using AES_CBC for encryption
Mar 29 20:48:02     charon          07[CFG] <con1|49> config: 172.23.152.1/32|/0, received: 172.23.152.1/32|/0 => match: 172.23.152.1/32|/0
Mar 29 20:48:02     charon          07[CFG] <con1|49> selecting traffic selectors for other:
Mar 29 20:48:02     charon          07[CFG] <con1|49> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Mar 29 20:48:02     charon          07[CFG] <con1|49> selecting traffic selectors for us:
Mar 29 20:48:02     charon          07[CFG] <con1|49> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02     charon          07[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02     charon          07[CFG] <con1|49> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02     charon          07[CFG] <con1|49> proposal matches
Mar 29 20:48:02     charon          07[CFG] <con1|49> selecting proposal:
Mar 29 20:48:02     charon          07[ENC] <con1|49> parsed CREATE_CHILD_SA response 48 [ SA No KE TSi TSr ]
Mar 29 20:48:02     charon          07[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (312 bytes)
Mar 29 20:48:02     charon          07[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (344 bytes)
Mar 29 20:48:02     charon          07[ENC] <con1|49> generating CREATE_CHILD_SA request 48 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Mar 29 20:48:02     charon          07[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02     charon          07[CFG] <con1|49> 172.23.152.1/32|/0
Mar 29 20:48:02     charon          07[CFG] <con1|49> proposing traffic selectors for other:
Mar 29 20:48:02     charon          07[CFG] <con1|49> 0.0.0.0/0|/0
Mar 29 20:48:02     charon          07[CFG] <con1|49> proposing traffic selectors for us:
Mar 29 20:48:02     charon          07[IKE] <con1|49> establishing CHILD_SA con1{132}
Mar 29 20:48:02     charon          07[IKE] <con1|49> activating CHILD_REKEY task
Mar 29 20:48:02     charon          07[IKE] <con1|49> activating new tasks
Mar 29 20:48:02     charon          07[IKE] <con1|49> queueing CHILD_REKEY task
Mar 29 20:48:02     charon          05[KNL] creating rekey job for CHILD_SA ESP/0xc1b173c9/192.168.10.100

IKE_DPD tasks still after ~8 hours of conn seems getting ACK form client

Mar 30 00:14:47     charon          01[IKE] <con1|50> nothing to initiate
Mar 30 00:14:47     charon          01[IKE] <con1|50> activating new tasks
Mar 30 00:14:47     charon          01[ENC] <con1|50> parsed INFORMATIONAL response 152 [ ]
Mar 30 00:14:47     charon          01[NET] <con1|50> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Mar 30 00:14:47     charon          01[NET] <con1|50> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 30 00:14:47     charon          01[ENC] <con1|50> generating INFORMATIONAL request 152 [ ]
Mar 30 00:14:47     charon          01[IKE] <con1|50> activating IKE_DPD task
Mar 30 00:14:47     charon          01[IKE] <con1|50> activating new tasks
Mar 30 00:14:47     charon          01[IKE] <con1|50> queueing IKE_DPD task
Mar 30 00:14:47     charon          01[IKE] <con1|50> sending DPD request

after 8 hours pfSense just deletes conn (2 min after previous DPD ack, deletion was not initiated by client, these are only logs)

Mar 30 00:16:33     charon          09[CFG] <con1|50> lease 172.23.152.1 by 'ikemaster' went offline
Mar 30 00:16:33     charon          09[IKE] <con1|50> IKE_SA con1[50] state change: DELETING => DESTROYING
Mar 30 00:16:33     charon          09[IKE] <con1|50> IKE_SA deleted
Mar 30 00:16:33     charon          09[ENC] <con1|50> parsed INFORMATIONAL response 156 [ ]
Mar 30 00:16:33     charon          09[NET] <con1|50> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Mar 30 00:16:33     charon          09[NET] <con1|50> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 30 00:16:33     charon          09[ENC] <con1|50> generating INFORMATIONAL request 156 [ D ]
Mar 30 00:16:33     charon          09[IKE] <con1|50> sending DELETE for IKE_SA con1[50]
Mar 30 00:16:33     charon          09[IKE] <con1|50> IKE_SA con1[50] state change: ESTABLISHED => DELETING
Mar 30 00:16:33     charon          09[IKE] <con1|50> deleting IKE_SA con1[50] between 192.168.10.100[XXXXXX]...192.168.10.121[ikemaster]
Mar 30 00:16:33     charon          09[IKE] <con1|50> activating IKE_DELETE task
Mar 30 00:16:33     charon          09[IKE] <con1|50> activating new tasks
Mar 30 00:16:33     charon          09[IKE] <con1|50> queueing IKE_DELETE task

Throughout the test macOS was iperf'ing (set to 24h) one comp within pfSense LAN as well as constant WAN stream (simply run video stream from YT).

Summary

This is issue in forums is here [[https://forum.pfsense.org/index.php?topic=128023.0]]
Cert based IKEv2 works smoothly on MSW10 (enabling DH20 via powershell), macOS/iOS (Apple Configurator profile). My client side setup is discussed here [[https://forum.pfsense.org/index.php?topic=127457.msg704054#msg704054]]

Phase 2 (CHILD_SA) rekeys with no issues whatsoever.
Phase 1 (IKE_SA) does not rekey.

Isn't there some stuff missing as per [[https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#Settings]], namely

rekey_time
reauth_time
over_time
rand_time

I tried find /usr/local/ -name '*' -exec grep -li 'rekey_time' {} \; and it shows up only in /usr/local/etc/swanctl/swanctl.conf, which is cited above and seems to be commented out template. find /var/etc/ipsec/strongswan.d/ -name '*' -exec grep -li 'rekey_time' {} \; gives nothing.

Due to this issue IKEv2 cannot be used for VPN.

Actions

Also available in: Atom PDF