Actions
Bug #7439
closed
IKE_SA (IKEv2) does not rekey on break before make startegy, just issues IKE_DELETE and connection is closed
Start date:
03/31/2017
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4
Affected Architecture:
amd64
Description
2.4.0-BETA-amd64-20170228-0411¶
Both MSW 10 and macOS 10.12 does not rekey IKE_SA on break-before-make startegy (and I'm not trying nor wanting make-before-break startegy).
Settings in GUI¶
DNS Resolver
Added IKEv2 MYIKECLASSBNET/24 to access lists
Certs
CA
Server cert
User with cert
VPN > IPsec > Mobile clients
IKE Extensions: Y
User Authentification: Local DB
Group authentification: none
Virtual Address Pool: Y (/24 network besides my Class B LAN)
Virtual IPv6 Address Pool: N
Network List: Y
Save Xauth Password: N
DNS Default Domain: Y (same as system domain)
Split DNS: N
DNS Servers: Y (pfSense IP)
WINS Servers: N
Phase2 PFS Group: N
Login Banner: N
VPN > IPsec > Pre-Shared Keys
Does not apply
VPN > IPsec > Advanced settings
Configure Unique IDs as: Y
IP Compression: N
Strict interface binding: N
Unencrypted payloads in IKEv1 Main Mode: N
Enable Maximum MSS: N
Enable Cisco Extensions: N
Strict CRL Checking: N
Make before Break: N (thus we are using break-before-make!)
Auto-exclude LAN address: Y
VPN > IPsec > Tunnels > Phase 1
Disabled: N
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN
Description: IKEv2 Phase 1 test
Authentication Method: EAP-TLS
My identifier: Distinguished name (DNS name of router)
Peer identifier: Any
My Certificate: corresponding server cert
Peer Certificate Authority: corresponding ca
Encryption Algorithm: AES-256
Hash Algorithm: SHA384
DH Group: 20 (ecp384)
Lifetime (Seconds): 28800
Disable rekey: N
Disable Reauth: N
Responder Only: N
MOBIKE: Enable
Split connections: N
Dead Peer Detection: Y
Delay: 10
Max faulures: 5
VPN > IPsec > Tunnels > Phase 2
Disabled: N
Mode: Nunnel IPv4
Local network: Network 0.0.0.0/0
NAT/BINAT translation: None
Description: IKEv2 Phase 2 test
Protocol: ESP
Encryption Algorithms: AES-256
Hash Algorithms: SHA256
PSF key group: 20 (ecp384)
Lifetime: 3600 seconds
Automatically ping host: null
Firewall
IPsec pass.
Config file inspection¶
/var/etc/ipsec/ipsec.conf
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
conn bypasslan
leftsubnet = MYCLASSBNET/21
rightsubnet = MYCLASSBNET/21
authby = never
type = passthrough
auto = route
conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = 192.168.10.100
right = %any
leftid = fqdn:XXXX
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = MYIKECLASSBNET/24
ike = aes256-sha384-ecp384!
esp = aes256-sha256-ecp384!
eap_identity=%identity
leftauth=pubkey
rightauth=eap-tls
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
leftsendcert=always
rightca="/C=LV/ST=Riga/L=Riga/O=WARP/emailAddress=XXXXX/CN=XXXXX/“
leftsubnet = 0.0.0.0/0
/var/etc/ipsec/strongswan.conf
# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
starter {
load_warning = no
config_file = /var/etc/ipsec/ipsec.conf
}
charon {
# number of worker threads in charon
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000
install_routes = no
load_modular = yes
ignore_acquire_ts = yes
cisco_unity = no
syslog {
identifier = charon
# log everything under daemon since it ends up in the same place regardless with our syslog.conf
daemon {
ike_name = yes
dmn = 1
mgr = 1
ike = 2
chd = 2
job = 1
cfg = 2
knl = 1
net = 1
asn = 1
enc = 1
imc = 1
imv = 1
pts = 1
tls = 1
esp = 1
lib = 1
}
# disable logging under auth so logs aren't duplicated
auth {
default = -1
}
}
plugins {
# Load defaults
include /var/etc/ipsec/strongswan.d/charon/*.conf
stroke {
secrets_file = /var/etc/ipsec/ipsec.secrets
}
unity {
load = no
}
attr {
dns = 172.23.160.1
subnet = 0.0.0.0/0
split-include = 0.0.0.0/0
# Search domain and default domain
28674 = "warp"
28675 = "warp"
}
xauth-generic {
script = /etc/inc/ipsec.auth-user.php
authcfg = Local Database
}
}
}
/usr/local/etc/swanctl/swanctl.conf
# Section defining IKE connection configurations.
# connections {
# Section for an IKE connection named <conn>.
# <conn> {
# IKE major version to use for connection.
# version = 0
# Local address(es) to use for IKE communication, comma separated.
# local_addrs = %any
# Remote address(es) to use for IKE communication, comma separated.
# remote_addrs = %any
# Local UDP port for IKE communication.
# local_port = 500
# Remote UDP port for IKE communication.
# remote_port = 500
# Comma separated proposals to accept for IKE.
# proposals = default
# Virtual IPs to request in configuration payload / Mode Config.
# vips =
# Use Aggressive Mode in IKEv1.
# aggressive = no
# Set the Mode Config mode to use.
# pull = yes
# Enforce UDP encapsulation by faking NAT-D payloads.
# encap = no
# Enables MOBIKE on IKEv2 connections.
# mobike = yes
# Interval of liveness checks (DPD).
# dpd_delay = 0s
# Timeout for DPD checks (IKEV1 only).
# dpd_timeout = 0s
# Use IKE UDP datagram fragmentation. (yes, no or force).
# fragmentation = yes
# Send certificate requests payloads (yes or no).
# send_certreq = yes
# Send certificate payloads (always, never or ifasked).
# send_cert = ifasked
# Number of retransmission sequences to perform during initial connect.
# keyingtries = 1
# Connection uniqueness policy (never, no, keep or replace).
# unique = no
# Time to schedule IKE reauthentication.
# reauth_time = 0s
# Time to schedule IKE rekeying.
# rekey_time = 4h
# Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
# over_time = 10% of rekey_time/reauth_time
# Range of random time to subtract from rekey/reauth times.
# rand_time = over_time
# Comma separated list of named IP pools.
# pools =
# Section for a local authentication round.
# local<suffix> {
# Optional numeric identifier by which authentication rounds are
# sorted. If not specified rounds are ordered by their position in
# the config file/VICI message.
# round = 0
# Comma separated list of certificate candidates to use for
# authentication.
# certs =
# Comma separated list of raw public key candidates to use for
# authentication.
# pubkeys =
# Authentication to perform locally (pubkey, psk, xauth[-backend] or
# eap[-method]).
# auth = pubkey
# IKE identity to use for authentication round.
# id =
# Client EAP-Identity to use in EAP-Identity exchange and the EAP
# method.
# eap_id = id
# Server side EAP-Identity to expect in the EAP method.
# aaa_id = remote-id
# Client XAuth username used in the XAuth exchange.
# xauth_id = id
# }
# Section for a remote authentication round.
# remote<suffix> {
# Optional numeric identifier by which authentication rounds are
# sorted. If not specified rounds are ordered by their position in
# the config file/VICI message.
# round = 0
# IKE identity to expect for authentication round.
# id = %any
# Authorization group memberships to require.
# groups =
# Comma separated list of certificate to accept for authentication.
# certs =
# Comma separated list of CA certificates to accept for
# authentication.
# cacerts =
# Comma separated list of raw public keys to accept for
# authentication.
# pubkeys =
# Certificate revocation policy, (strict, ifuri or relaxed).
# revocation = relaxed
# Authentication to expect from remote (pubkey, psk, xauth[-backend]
# or eap[-method]).
# auth = pubkey
# }
# children {
# CHILD_SA configuration sub-section.
# <child> {
# AH proposals to offer for the CHILD_SA.
# ah_proposals =
# ESP proposals to offer for the CHILD_SA.
# esp_proposals = default
# Local traffic selectors to include in CHILD_SA.
# local_ts = dynamic
# Remote selectors to include in CHILD_SA.
# remote_ts = dynamic
# Time to schedule CHILD_SA rekeying.
# rekey_time = 1h
# Maximum lifetime before CHILD_SA gets closed, as time.
# life_time = rekey_time + 10%
# Range of random time to subtract from rekey_time.
# rand_time = life_time - rekey_time
# Number of bytes processed before initiating CHILD_SA rekeying.
# rekey_bytes = 0
# Maximum bytes processed before CHILD_SA gets closed.
# life_bytes = rekey_bytes + 10%
# Range of random bytes to subtract from rekey_bytes.
# rand_bytes = life_bytes - rekey_bytes
# Number of packets processed before initiating CHILD_SA
# rekeying.
# rekey_packets = 0
# Maximum number of packets processed before CHILD_SA gets
# closed.
# life_packets = rekey_packets + 10%
# Range of random packets to subtract from packets_bytes.
# rand_packets = life_packets - rekey_packets
# Updown script to invoke on CHILD_SA up and down events.
# updown =
# Hostaccess variable to pass to updown script.
# hostaccess = yes
# IPsec Mode to establish (tunnel, transport, beet, pass or
# drop).
# mode = tunnel
# Whether to install IPsec policies or not.
# policies = yes
# Whether to install outbound FWD IPsec policies or not.
# policies_fwd_out = no
# Action to perform on DPD timeout (clear, trap or restart).
# dpd_action = clear
# Enable IPComp compression before encryption.
# ipcomp = no
# Timeout before closing CHILD_SA after inactivity.
# inactivity = 0s
# Fixed reqid to use for this CHILD_SA.
# reqid = 0
# Optional fixed priority for IPsec policies.
# priority = 0
# Optional interface name to restrict IPsec policies.
# interface =
# Netfilter mark and mask for input traffic.
# mark_in = 0/0x00000000
# Netfilter mark and mask for output traffic.
# mark_out = 0/0x00000000
# Traffic Flow Confidentiality padding.
# tfc_padding = 0
# IPsec replay window to configure for this CHILD_SA.
# replay_window = 32
# Action to perform after loading the configuration (none, trap,
# start).
# start_action = none
# Action to perform after a CHILD_SA gets closed (none, trap,
# start).
# close_action = none
# }
# }
# }
# }
# Section defining secrets for IKE/EAP/XAuth authentication and private key
# decryption.
# secrets {
# EAP secret section for a specific secret.
# eap<suffix> {
# Value of the EAP/XAuth secret.
# secret =
# Identity the EAP/XAuth secret belongs to.
# id<suffix> =
# }
# XAuth secret section for a specific secret.
# xauth<suffix> {
# }
# IKE preshared secret section for a specific secret.
# ike<suffix> {
# Value of the IKE preshared secret.
# secret =
# IKE identity the IKE preshared secret belongs to.
# id<suffix> =
# }
# Private key decryption passphrase for a key in the private folder.
# private<suffix> {
# File name in the private folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for private key.
# secret =
# }
# Private key decryption passphrase for a key in the rsa folder.
# rsa<suffix> {
# File name in the rsa folder for which this passphrase should be used.
# file =
# Value of decryption passphrase for RSA key.
# secret =
# }
# Private key decryption passphrase for a key in the ecdsa folder.
# ecdsa<suffix> {
# File name in the ecdsa folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for ECDSA key.
# secret =
# }
# Private key decryption passphrase for a key in the pkcs8 folder.
# pkcs8<suffix> {
# File name in the pkcs8 folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for PKCS#8 key.
# secret =
# }
# PKCS#12 decryption passphrase for a container in the pkcs12 folder.
# pkcs12<suffix> {
# File name in the pkcs12 folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for PKCS#12 container.
# secret =
# }
# }
# Section defining named pools.
# pools {
# Section defining a single pool with a unique name.
# <name> {
# Addresses allocated in pool.
# addrs =
# Comma separated list of additional attributes from type <attr>.
# <attr> =
# }
# }
# Section defining attributes of certification authorities.
# authorities {
# Section defining a certification authority with a unique name.
# <name> {
# CA certificate belonging to the certification authority.
# cacert =
# Comma-separated list of CRL distribution points
# crl_uris =
# Comma-separated list of OCSP URIs
# ocsp_uris =
# Defines the base URI for the Hash and URL feature supported by IKEv2.
# cert_uri_base =
# }
# }
/usr/local/etc/strongswan.d/swanctl.conf
swanctl {
# Plugins to load in swanctl.
# load =
}
Logs¶
On macOS session was started on Mar 29 16:20:02
Throughout connection it repeats DPD sucessfully, many times
Mar 29 16:41:12 charon 01[IKE] <con1|49> nothing to initiate Mar 29 16:41:12 charon 01[IKE] <con1|49> activating new tasks Mar 29 16:41:12 charon 01[ENC] <con1|49> parsed INFORMATIONAL response 32 [ ] Mar 29 16:41:12 charon 01[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 29 16:41:12 charon 01[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 29 16:41:12 charon 01[ENC] <con1|49> generating INFORMATIONAL request 32 [ ] Mar 29 16:41:12 charon 01[IKE] <con1|49> activating IKE_DPD task Mar 29 16:41:12 charon 01[IKE] <con1|49> activating new tasks Mar 29 16:41:12 charon 01[IKE] <con1|49> queueing IKE_DPD task Mar 29 16:41:12 charon 01[IKE] <con1|49> sending DPD request
On 17:06 it rekeyed child
Mar 29 17:06:05 charon 05[IKE] <con1|49> nothing to initiate
Mar 29 17:06:05 charon 05[IKE] <con1|49> activating new tasks
Mar 29 17:06:05 charon 05[KNL] <con1|49> unable to delete SAD entry with SPI 0be310f0: No such file or directory (2)
Mar 29 17:06:05 charon 05[IKE] <con1|49> CHILD_SA closed
Mar 29 17:06:05 charon 05[IKE] <con1|49> received DELETE for ESP CHILD_SA with SPI 0be310f0
Mar 29 17:06:05 charon 05[ENC] <con1|49> parsed INFORMATIONAL response 39 [ D ]
Mar 29 17:06:05 charon 05[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Mar 29 17:06:05 charon 10[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 29 17:06:05 charon 10[ENC] <con1|49> generating INFORMATIONAL request 39 [ D ]
Mar 29 17:06:05 charon 10[IKE] <con1|49> sending DELETE for ESP CHILD_SA with SPI cce61ffb
Mar 29 17:06:05 charon 10[IKE] <con1|49> closing CHILD_SA con1{669} with SPIs cce61ffb_i (7759579923 bytes) 0be310f0_o (443892856 bytes) and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 17:06:05 charon 10[IKE] <con1|49> CHILD_REKEY task
Mar 29 17:06:05 charon 10[IKE] <con1|49> reinitiating already active tasks
Mar 29 17:06:05 charon 10[IKE] <con1|49> CHILD_SA con1{670} established with SPIs cbd4ab9c_i 0af54a92_o and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 17:06:05 charon 10[CHD] <con1|49> SPI 0x0af54a92, src 192.168.10.100 dst 192.168.10.121
Mar 29 17:06:05 charon 10[CHD] <con1|49> adding outbound ESP SA
Mar 29 17:06:05 charon 10[CHD] <con1|49> SPI 0xcbd4ab9c, src 192.168.10.121 dst 192.168.10.100
Mar 29 17:06:05 charon 10[CHD] <con1|49> adding inbound ESP SA
Mar 29 17:06:05 charon 10[CHD] <con1|49> using HMAC_SHA2_256_128 for integrity
Mar 29 17:06:05 charon 10[CHD] <con1|49> using AES_CBC for encryption
Mar 29 17:06:05 charon 10[CFG] <con1|49> config: 172.23.152.1/32|/0, received: 172.23.152.1/32|/0 => match: 172.23.152.1/32|/0
Mar 29 17:06:05 charon 10[CFG] <con1|49> selecting traffic selectors for other:
Mar 29 17:06:05 charon 10[CFG] <con1|49> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Mar 29 17:06:05 charon 10[CFG] <con1|49> selecting traffic selectors for us:
Mar 29 17:06:05 charon 10[CFG] <con1|49> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05 charon 10[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05 charon 10[CFG] <con1|49> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05 charon 10[CFG] <con1|49> proposal matches
Mar 29 17:06:05 charon 10[CFG] <con1|49> selecting proposal:
Mar 29 17:06:05 charon 10[ENC] <con1|49> parsed CREATE_CHILD_SA response 38 [ SA No KE TSi TSr ]
Mar 29 17:06:05 charon 10[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (312 bytes)
Mar 29 17:06:05 charon 10[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (344 bytes)
Mar 29 17:06:05 charon 10[ENC] <con1|49> generating CREATE_CHILD_SA request 38 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Mar 29 17:06:05 charon 10[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 17:06:05 charon 10[CFG] <con1|49> 172.23.152.1/32|/0
Mar 29 17:06:05 charon 10[CFG] <con1|49> proposing traffic selectors for other:
Mar 29 17:06:05 charon 10[CFG] <con1|49> 0.0.0.0/0|/0
Mar 29 17:06:05 charon 10[CFG] <con1|49> proposing traffic selectors for us:
Mar 29 17:06:05 charon 10[IKE] <con1|49> establishing CHILD_SA con1{132}
Mar 29 17:06:05 charon 10[IKE] <con1|49> activating CHILD_REKEY task
Mar 29 17:06:05 charon 10[IKE] <con1|49> activating new tasks
Mar 29 17:06:05 charon 10[IKE] <con1|49> queueing CHILD_REKEY task
Mar 29 17:06:05 charon 14[KNL] creating rekey job for CHILD_SA ESP/0xcce61ffb/192.168.10.100
Every 10 minutes informational request is sent
Mar 29 20:10:52 charon 14[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 29 20:10:52 charon 14[ENC] <con1|49> generating INFORMATIONAL response 33 [ ] Mar 29 20:10:52 charon 14[ENC] <con1|49> parsed INFORMATIONAL request 33 [ ] Mar 29 20:10:52 charon 14[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Yet another (one of) succesful child rekey many hours later
Mar 29 20:48:03 charon 07[IKE] <con1|49> nothing to initiate
Mar 29 20:48:03 charon 07[IKE] <con1|49> activating new tasks
Mar 29 20:48:03 charon 07[KNL] <con1|49> unable to delete SAD entry with SPI 0ec920e6: No such file or directory (2)
Mar 29 20:48:03 charon 07[IKE] <con1|49> CHILD_SA closed
Mar 29 20:48:03 charon 07[IKE] <con1|49> received DELETE for ESP CHILD_SA with SPI 0ec920e6
Mar 29 20:48:03 charon 07[ENC] <con1|49> parsed INFORMATIONAL response 49 [ D ]
Mar 29 20:48:03 charon 07[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)
Mar 29 20:48:02 charon 07[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes)
Mar 29 20:48:02 charon 07[ENC] <con1|49> generating INFORMATIONAL request 49 [ D ]
Mar 29 20:48:02 charon 07[IKE] <con1|49> sending DELETE for ESP CHILD_SA with SPI c1b173c9
Mar 29 20:48:02 charon 07[IKE] <con1|49> closing CHILD_SA con1{674} with SPIs c1b173c9_i (29869507222 bytes) 0ec920e6_o (0 bytes) and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 20:48:02 charon 07[KNL] <con1|49> unable to query SAD entry with SPI 0ec920e6: No such file or directory (2)
Mar 29 20:48:02 charon 07[IKE] <con1|49> CHILD_REKEY task
Mar 29 20:48:02 charon 07[IKE] <con1|49> reinitiating already active tasks
Mar 29 20:48:02 charon 07[KNL] <con1|49> unable to query SAD entry with SPI 0ec920e6: No such file or directory (2)
Mar 29 20:48:02 charon 07[IKE] <con1|49> CHILD_SA con1{675} established with SPIs c791946c_i 02777737_o and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0
Mar 29 20:48:02 charon 07[CHD] <con1|49> SPI 0x02777737, src 192.168.10.100 dst 192.168.10.121
Mar 29 20:48:02 charon 07[CHD] <con1|49> adding outbound ESP SA
Mar 29 20:48:02 charon 07[CHD] <con1|49> SPI 0xc791946c, src 192.168.10.121 dst 192.168.10.100
Mar 29 20:48:02 charon 07[CHD] <con1|49> adding inbound ESP SA
Mar 29 20:48:02 charon 07[CHD] <con1|49> using HMAC_SHA2_256_128 for integrity
Mar 29 20:48:02 charon 07[CHD] <con1|49> using AES_CBC for encryption
Mar 29 20:48:02 charon 07[CFG] <con1|49> config: 172.23.152.1/32|/0, received: 172.23.152.1/32|/0 => match: 172.23.152.1/32|/0
Mar 29 20:48:02 charon 07[CFG] <con1|49> selecting traffic selectors for other:
Mar 29 20:48:02 charon 07[CFG] <con1|49> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Mar 29 20:48:02 charon 07[CFG] <con1|49> selecting traffic selectors for us:
Mar 29 20:48:02 charon 07[CFG] <con1|49> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02 charon 07[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02 charon 07[CFG] <con1|49> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02 charon 07[CFG] <con1|49> proposal matches
Mar 29 20:48:02 charon 07[CFG] <con1|49> selecting proposal:
Mar 29 20:48:02 charon 07[ENC] <con1|49> parsed CREATE_CHILD_SA response 48 [ SA No KE TSi TSr ]
Mar 29 20:48:02 charon 07[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (312 bytes)
Mar 29 20:48:02 charon 07[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (344 bytes)
Mar 29 20:48:02 charon 07[ENC] <con1|49> generating CREATE_CHILD_SA request 48 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Mar 29 20:48:02 charon 07[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ
Mar 29 20:48:02 charon 07[CFG] <con1|49> 172.23.152.1/32|/0
Mar 29 20:48:02 charon 07[CFG] <con1|49> proposing traffic selectors for other:
Mar 29 20:48:02 charon 07[CFG] <con1|49> 0.0.0.0/0|/0
Mar 29 20:48:02 charon 07[CFG] <con1|49> proposing traffic selectors for us:
Mar 29 20:48:02 charon 07[IKE] <con1|49> establishing CHILD_SA con1{132}
Mar 29 20:48:02 charon 07[IKE] <con1|49> activating CHILD_REKEY task
Mar 29 20:48:02 charon 07[IKE] <con1|49> activating new tasks
Mar 29 20:48:02 charon 07[IKE] <con1|49> queueing CHILD_REKEY task
Mar 29 20:48:02 charon 05[KNL] creating rekey job for CHILD_SA ESP/0xc1b173c9/192.168.10.100
IKE_DPD tasks still after ~8 hours of conn seems getting ACK form client
Mar 30 00:14:47 charon 01[IKE] <con1|50> nothing to initiate Mar 30 00:14:47 charon 01[IKE] <con1|50> activating new tasks Mar 30 00:14:47 charon 01[ENC] <con1|50> parsed INFORMATIONAL response 152 [ ] Mar 30 00:14:47 charon 01[NET] <con1|50> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 30 00:14:47 charon 01[NET] <con1|50> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 30 00:14:47 charon 01[ENC] <con1|50> generating INFORMATIONAL request 152 [ ] Mar 30 00:14:47 charon 01[IKE] <con1|50> activating IKE_DPD task Mar 30 00:14:47 charon 01[IKE] <con1|50> activating new tasks Mar 30 00:14:47 charon 01[IKE] <con1|50> queueing IKE_DPD task Mar 30 00:14:47 charon 01[IKE] <con1|50> sending DPD request
after 8 hours pfSense just deletes conn (2 min after previous DPD ack, deletion was not initiated by client, these are only logs)
Mar 30 00:16:33 charon 09[CFG] <con1|50> lease 172.23.152.1 by 'ikemaster' went offline Mar 30 00:16:33 charon 09[IKE] <con1|50> IKE_SA con1[50] state change: DELETING => DESTROYING Mar 30 00:16:33 charon 09[IKE] <con1|50> IKE_SA deleted Mar 30 00:16:33 charon 09[ENC] <con1|50> parsed INFORMATIONAL response 156 [ ] Mar 30 00:16:33 charon 09[NET] <con1|50> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 30 00:16:33 charon 09[NET] <con1|50> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 30 00:16:33 charon 09[ENC] <con1|50> generating INFORMATIONAL request 156 [ D ] Mar 30 00:16:33 charon 09[IKE] <con1|50> sending DELETE for IKE_SA con1[50] Mar 30 00:16:33 charon 09[IKE] <con1|50> IKE_SA con1[50] state change: ESTABLISHED => DELETING Mar 30 00:16:33 charon 09[IKE] <con1|50> deleting IKE_SA con1[50] between 192.168.10.100[XXXXXX]...192.168.10.121[ikemaster] Mar 30 00:16:33 charon 09[IKE] <con1|50> activating IKE_DELETE task Mar 30 00:16:33 charon 09[IKE] <con1|50> activating new tasks Mar 30 00:16:33 charon 09[IKE] <con1|50> queueing IKE_DELETE task
Throughout the test macOS was iperf'ing (set to 24h) one comp within pfSense LAN as well as constant WAN stream (simply run video stream from YT).
Summary¶
This is issue in forums is here [[https://forum.pfsense.org/index.php?topic=128023.0]]
Cert based IKEv2 works smoothly on MSW10 (enabling DH20 via powershell), macOS/iOS (Apple Configurator profile). My client side setup is discussed here [[https://forum.pfsense.org/index.php?topic=127457.msg704054#msg704054]]
Phase 2 (CHILD_SA) rekeys with no issues whatsoever.
Phase 1 (IKE_SA) does not rekey.
Isn't there some stuff missing as per [[https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#Settings]], namely
rekey_time reauth_time over_time rand_time
I tried find /usr/local/ -name '*' -exec grep -li 'rekey_time' {} \; and it shows up only in /usr/local/etc/swanctl/swanctl.conf, which is cited above and seems to be commented out template. find /var/etc/ipsec/strongswan.d/ -name '*' -exec grep -li 'rekey_time' {} \; gives nothing.
Due to this issue IKEv2 cannot be used for VPN.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Anonymous 
Updated by
Actions