IKEv2 SA closes connection
-
Tested on macOS and MSW.
pfSense 2.4.0-BETA, strongswan-5.5.1Time Process PID Message Mar 28 18:11:24 charon 14[CFG] <con1|42> lease 172.23.152.1 by 'ikemaster' went offline Mar 28 18:11:24 charon 14[IKE] <con1|42> IKE_SA con1[42] state change: DELETING => DESTROYING Mar 28 18:11:24 charon 14[IKE] <con1|42> IKE_SA deleted Mar 28 18:11:24 charon 14[ENC] <con1|42> parsed INFORMATIONAL response 4 [ ] Mar 28 18:11:24 charon 14[NET] <con1|42> received packet: from 192.168.10.130[4500] to 192.168.10.100[4500] (88 bytes) Mar 28 18:11:24 charon 14[NET] <con1|42> sending packet: from 192.168.10.100[4500] to 192.168.10.130[4500] (88 bytes) Mar 28 18:11:24 charon 14[ENC] <con1|42> generating INFORMATIONAL request 4 [ D ] Mar 28 18:11:24 charon 14[IKE] <con1|42> sending DELETE for IKE_SA con1[42] Mar 28 18:11:24 charon 14[IKE] <con1|42> IKE_SA con1[42] state change: ESTABLISHED => DELETING Mar 28 18:11:24 charon 14[IKE] <con1|42> deleting IKE_SA con1[42] between 192.168.10.100[route.warp.lv]...192.168.10.130[192.168.10.130] Mar 28 18:11:24 charon 14[IKE] <con1|42> activating IKE_DELETE task Mar 28 18:11:24 charon 14[IKE] <con1|42> activating new tasks Mar 28 18:11:24 charon 14[IKE] <con1|42> queueing IKE_DELETE task</con1|42></con1|42></con1|42></con1|42></con1|42></con1|42></con1|42></con1|42></con1|42></con1|42></con1|42></con1|42></con1|42>I have read https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey and cat /var/etc/ipsec/ipsec.conf seems correct
config setup uniqueids = yes conn bypasslan leftsubnet = 172.23.160.0/21 rightsubnet = 172.23.160.0/21 authby = never type = passthrough auto = route conn con1 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = yes rekey = yes installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = 192.168.10.100 right = %any leftid = fqdn:XXXXX ikelifetime = 1200s lifetime = 600s rightsourceip = 172.23.152.0/24 ike = aes256-sha384-ecp384! esp = aes256-sha256! eap_identity=%identity leftauth=pubkey rightauth=eap-tls leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt leftsendcert=always rightca="/C=LV/ST=Riga/L=Riga/O=WARP/emailAddress=XXXX/CN=XXXX/" leftsubnet = 0.0.0.0/0Could it be that short ikelifetime and lifetime are main cause for this (i do want them to be short to be able to test rekeying)?
Where to look?
EDIT: i just set it to run it overnight with 28800/3600 rekey times.
-
Same stuff.
VPN was started on Mar 28 19:21:32 from MSW.
In logs (newest first) i observe
Mar 29 03:19:39 charon 08[CFG] <con1|45> lease 172.23.152.1 by 'ikemaster' went offline Mar 29 03:19:39 charon 08[IKE] <con1|45> IKE_SA con1[45] state change: DELETING => DESTROYING Mar 29 03:19:39 charon 08[IKE] <con1|45> IKE_SA deleted Mar 29 03:19:39 charon 08[ENC] <con1|45> parsed INFORMATIONAL response 0 [ ] Mar 29 03:19:39 charon 08[NET] <con1|45> received packet: from 192.168.10.130[4500] to 192.168.10.100[4500] (88 bytes) Mar 29 03:19:39 charon 08[NET] <con1|45> sending packet: from 192.168.10.100[4500] to 192.168.10.130[4500] (88 bytes) Mar 29 03:19:39 charon 08[ENC] <con1|45> generating INFORMATIONAL request 0 [ D ] Mar 29 03:19:39 charon 08[IKE] <con1|45> sending DELETE for IKE_SA con1[45] Mar 29 03:19:39 charon 08[IKE] <con1|45> IKE_SA con1[45] state change: ESTABLISHED => DELETING Mar 29 03:19:39 charon 08[IKE] <con1|45> deleting IKE_SA con1[45] between 192.168.10.100[XXX]…192.168.10.130[192.168.10.130] Mar 29 03:19:39 charon 08[IKE] <con1|45> activating IKE_DELETE task Mar 29 03:19:39 charon 08[IKE] <con1|45> activating new tasks Mar 29 03:19:39 charon 08[IKE] <con1|45> queueing IKE_DELETE task</con1|45></con1|45></con1|45></con1|45></con1|45></con1|45></con1|45></con1|45></con1|45></con1|45></con1|45></con1|45></con1|45>This is around the time where Phase 1 rekeying should be done (28800 sec) 19.21+8-24=3.21.
Before these logs @ 3:12:53 there is Phase 2 reauth.
Few minutes before that
Mar 29 03:10:39 charon 12[IKE] <con1|45> IKE_SA con1[45] will timeout in 22 minutes Mar 29 03:10:39 charon 12[IKE] <con1|45> initiator did not reauthenticate as requested</con1|45></con1|45>However, funny that the Phase 1 was actually rekeyed @2:57 IKE_SA con1[44] state change: ESTABLISHED => REKEYED
Mar 29 02:57:32 charon 11[IKE] <con1|44> IKE_SA con1[44] state change: DELETING => DESTROYING Mar 29 02:57:32 charon 11[NET] <con1|44> sending packet: from 192.168.10.100[4500] to 192.168.10.130[4500] (88 bytes) Mar 29 02:57:32 charon 11[ENC] <con1|44> generating INFORMATIONAL response 126 [ ] Mar 29 02:57:32 charon 11[IKE] <con1|44> IKE_SA deleted Mar 29 02:57:32 charon 11[IKE] <con1|44> IKE_SA con1[44] state change: REKEYED => DELETING Mar 29 02:57:32 charon 11[IKE] <con1|44> deleting IKE_SA con1[44] between 192.168.10.100[XXXXXX]...192.168.10.130[192.168.10.130] Mar 29 02:57:32 charon 11[IKE] <con1|44> received DELETE for IKE_SA con1[44] Mar 29 02:57:32 charon 11[ENC] <con1|44> parsed INFORMATIONAL request 126 [ D ] Mar 29 02:57:32 charon 11[NET] <con1|44> received packet: from 192.168.10.130[4500] to 192.168.10.100[4500] (88 bytes) Mar 29 02:57:32 charon 11[NET] <con1|44> sending packet: from 192.168.10.100[4500] to 192.168.10.130[4500] (280 bytes) Mar 29 02:57:32 charon 11[ENC] <con1|44> generating CREATE_CHILD_SA response 125 [ SA No KE ] Mar 29 02:57:32 charon 11[IKE] <con1|44> IKE_SA con1[44] state change: ESTABLISHED => REKEYED Mar 29 02:57:32 charon 11[IKE] <con1|44> rescheduling reauthentication in 787s after rekeying, lifetime reduced to 1327s Mar 29 02:57:32 charon 11[IKE] <con1|44> IKE_SA con1[45] rekeyed between 192.168.10.100[XXXXXX]...192.168.10.130[192.168.10.130] Mar 29 02:57:32 charon 11[IKE] <con1|44> maximum IKE_SA lifetime 28647s Mar 29 02:57:32 charon 11[IKE] <con1|44> scheduling reauthentication in 28107s Mar 29 02:57:32 charon 11[IKE] <con1|44> IKE_SA con1[45] state change: CONNECTING => ESTABLISHED Mar 29 02:57:32 charon 11[CFG] <con1|44> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 Mar 29 02:57:32 charon 11[CFG] <con1|44> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 Mar 29 02:57:32 charon 11[CFG] <con1|44> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 Mar 29 02:57:32 charon 11[CFG] <con1|44> proposal matches Mar 29 02:57:32 charon 11[CFG] <con1|44> selecting proposal: Mar 29 02:57:32 charon 11[IKE] <con1|44> IKE_SA con1[45] state change: CREATED => CONNECTING Mar 29 02:57:32 charon 11[IKE] <con1|44> 192.168.10.130 is initiating an IKE_SA Mar 29 02:57:32 charon 11[ENC] <con1|44> parsed CREATE_CHILD_SA request 125 [ SA KE No ] Mar 29 02:57:32 charon 11[NET] <con1|44> received packet: from 192.168.10.130[4500] to 192.168.10.100[4500] (296 bytes)</con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44>There is this line
Mar 29 02:57:32 charon 11[IKE] <con1|44> rescheduling reauthentication in 787s after rekeying, lifetime reduced to 1327s</con1|44>and 787 seconds are 13:07 minutes which matches +/- with initiator did not reauthenticate as requested @03:10:39.
Why? Can anybody that has permanent IKEv2 running share some hint?
I will start same stuff now on macOS, see how it goes.
-
On macOS session was started on Mar 29 16:20:02
Throughout connection it repeats DPD sucessfully, many times
Mar 29 16:41:12 charon 01[IKE] <con1|49> nothing to initiate Mar 29 16:41:12 charon 01[IKE] <con1|49> activating new tasks Mar 29 16:41:12 charon 01[ENC] <con1|49> parsed INFORMATIONAL response 32 [ ] Mar 29 16:41:12 charon 01[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 29 16:41:12 charon 01[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 29 16:41:12 charon 01[ENC] <con1|49> generating INFORMATIONAL request 32 [ ] Mar 29 16:41:12 charon 01[IKE] <con1|49> activating IKE_DPD task Mar 29 16:41:12 charon 01[IKE] <con1|49> activating new tasks Mar 29 16:41:12 charon 01[IKE] <con1|49> queueing IKE_DPD task Mar 29 16:41:12 charon 01[IKE] <con1|49> sending DPD request</con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49>On 17:06 it rekeyed child
Mar 29 17:06:05 charon 05[IKE] <con1|49> nothing to initiate Mar 29 17:06:05 charon 05[IKE] <con1|49> activating new tasks Mar 29 17:06:05 charon 05[KNL] <con1|49> unable to delete SAD entry with SPI 0be310f0: No such file or directory (2) Mar 29 17:06:05 charon 05[IKE] <con1|49> CHILD_SA closed Mar 29 17:06:05 charon 05[IKE] <con1|49> received DELETE for ESP CHILD_SA with SPI 0be310f0 Mar 29 17:06:05 charon 05[ENC] <con1|49> parsed INFORMATIONAL response 39 [ D ] Mar 29 17:06:05 charon 05[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 29 17:06:05 charon 10[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 29 17:06:05 charon 10[ENC] <con1|49> generating INFORMATIONAL request 39 [ D ] Mar 29 17:06:05 charon 10[IKE] <con1|49> sending DELETE for ESP CHILD_SA with SPI cce61ffb Mar 29 17:06:05 charon 10[IKE] <con1|49> closing CHILD_SA con1{669} with SPIs cce61ffb_i (7759579923 bytes) 0be310f0_o (443892856 bytes) and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0 Mar 29 17:06:05 charon 10[IKE] <con1|49> CHILD_REKEY task Mar 29 17:06:05 charon 10[IKE] <con1|49> reinitiating already active tasks Mar 29 17:06:05 charon 10[IKE] <con1|49> CHILD_SA con1{670} established with SPIs cbd4ab9c_i 0af54a92_o and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0 Mar 29 17:06:05 charon 10[CHD] <con1|49> SPI 0x0af54a92, src 192.168.10.100 dst 192.168.10.121 Mar 29 17:06:05 charon 10[CHD] <con1|49> adding outbound ESP SA Mar 29 17:06:05 charon 10[CHD] <con1|49> SPI 0xcbd4ab9c, src 192.168.10.121 dst 192.168.10.100 Mar 29 17:06:05 charon 10[CHD] <con1|49> adding inbound ESP SA Mar 29 17:06:05 charon 10[CHD] <con1|49> using HMAC_SHA2_256_128 for integrity Mar 29 17:06:05 charon 10[CHD] <con1|49> using AES_CBC for encryption Mar 29 17:06:05 charon 10[CFG] <con1|49> config: 172.23.152.1/32|/0, received: 172.23.152.1/32|/0 => match: 172.23.152.1/32|/0 Mar 29 17:06:05 charon 10[CFG] <con1|49> selecting traffic selectors for other: Mar 29 17:06:05 charon 10[CFG] <con1|49> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0 Mar 29 17:06:05 charon 10[CFG] <con1|49> selecting traffic selectors for us: Mar 29 17:06:05 charon 10[CFG] <con1|49> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 17:06:05 charon 10[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 17:06:05 charon 10[CFG] <con1|49> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 17:06:05 charon 10[CFG] <con1|49> proposal matches Mar 29 17:06:05 charon 10[CFG] <con1|49> selecting proposal: Mar 29 17:06:05 charon 10[ENC] <con1|49> parsed CREATE_CHILD_SA response 38 [ SA No KE TSi TSr ] Mar 29 17:06:05 charon 10[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (312 bytes) Mar 29 17:06:05 charon 10[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (344 bytes) Mar 29 17:06:05 charon 10[ENC] <con1|49> generating CREATE_CHILD_SA request 38 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ] Mar 29 17:06:05 charon 10[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 17:06:05 charon 10[CFG] <con1|49> 172.23.152.1/32|/0 Mar 29 17:06:05 charon 10[CFG] <con1|49> proposing traffic selectors for other: Mar 29 17:06:05 charon 10[CFG] <con1|49> 0.0.0.0/0|/0 Mar 29 17:06:05 charon 10[CFG] <con1|49> proposing traffic selectors for us: Mar 29 17:06:05 charon 10[IKE] <con1|49> establishing CHILD_SA con1{132} Mar 29 17:06:05 charon 10[IKE] <con1|49> activating CHILD_REKEY task Mar 29 17:06:05 charon 10[IKE] <con1|49> activating new tasks Mar 29 17:06:05 charon 10[IKE] <con1|49> queueing CHILD_REKEY task Mar 29 17:06:05 charon 14[KNL] creating rekey job for CHILD_SA ESP/0xcce61ffb/192.168.10.100</con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49>Every 10 minutes informational request is sent
Mar 29 20:10:52 charon 14[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 29 20:10:52 charon 14[ENC] <con1|49> generating INFORMATIONAL response 33 [ ] Mar 29 20:10:52 charon 14[ENC] <con1|49> parsed INFORMATIONAL request 33 [ ] Mar 29 20:10:52 charon 14[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes)</con1|49></con1|49></con1|49></con1|49>Yet another (one of) succesful child rekey many hours later
Mar 29 20:48:03 charon 07[IKE] <con1|49> nothing to initiate Mar 29 20:48:03 charon 07[IKE] <con1|49> activating new tasks Mar 29 20:48:03 charon 07[KNL] <con1|49> unable to delete SAD entry with SPI 0ec920e6: No such file or directory (2) Mar 29 20:48:03 charon 07[IKE] <con1|49> CHILD_SA closed Mar 29 20:48:03 charon 07[IKE] <con1|49> received DELETE for ESP CHILD_SA with SPI 0ec920e6 Mar 29 20:48:03 charon 07[ENC] <con1|49> parsed INFORMATIONAL response 49 [ D ] Mar 29 20:48:03 charon 07[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 29 20:48:02 charon 07[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 29 20:48:02 charon 07[ENC] <con1|49> generating INFORMATIONAL request 49 [ D ] Mar 29 20:48:02 charon 07[IKE] <con1|49> sending DELETE for ESP CHILD_SA with SPI c1b173c9 Mar 29 20:48:02 charon 07[IKE] <con1|49> closing CHILD_SA con1{674} with SPIs c1b173c9_i (29869507222 bytes) 0ec920e6_o (0 bytes) and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0 Mar 29 20:48:02 charon 07[KNL] <con1|49> unable to query SAD entry with SPI 0ec920e6: No such file or directory (2) Mar 29 20:48:02 charon 07[IKE] <con1|49> CHILD_REKEY task Mar 29 20:48:02 charon 07[IKE] <con1|49> reinitiating already active tasks Mar 29 20:48:02 charon 07[KNL] <con1|49> unable to query SAD entry with SPI 0ec920e6: No such file or directory (2) Mar 29 20:48:02 charon 07[IKE] <con1|49> CHILD_SA con1{675} established with SPIs c791946c_i 02777737_o and TS 0.0.0.0/0|/0 === 172.23.152.1/32|/0 Mar 29 20:48:02 charon 07[CHD] <con1|49> SPI 0x02777737, src 192.168.10.100 dst 192.168.10.121 Mar 29 20:48:02 charon 07[CHD] <con1|49> adding outbound ESP SA Mar 29 20:48:02 charon 07[CHD] <con1|49> SPI 0xc791946c, src 192.168.10.121 dst 192.168.10.100 Mar 29 20:48:02 charon 07[CHD] <con1|49> adding inbound ESP SA Mar 29 20:48:02 charon 07[CHD] <con1|49> using HMAC_SHA2_256_128 for integrity Mar 29 20:48:02 charon 07[CHD] <con1|49> using AES_CBC for encryption Mar 29 20:48:02 charon 07[CFG] <con1|49> config: 172.23.152.1/32|/0, received: 172.23.152.1/32|/0 => match: 172.23.152.1/32|/0 Mar 29 20:48:02 charon 07[CFG] <con1|49> selecting traffic selectors for other: Mar 29 20:48:02 charon 07[CFG] <con1|49> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0 Mar 29 20:48:02 charon 07[CFG] <con1|49> selecting traffic selectors for us: Mar 29 20:48:02 charon 07[CFG] <con1|49> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 20:48:02 charon 07[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 20:48:02 charon 07[CFG] <con1|49> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 20:48:02 charon 07[CFG] <con1|49> proposal matches Mar 29 20:48:02 charon 07[CFG] <con1|49> selecting proposal: Mar 29 20:48:02 charon 07[ENC] <con1|49> parsed CREATE_CHILD_SA response 48 [ SA No KE TSi TSr ] Mar 29 20:48:02 charon 07[NET] <con1|49> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (312 bytes) Mar 29 20:48:02 charon 07[NET] <con1|49> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (344 bytes) Mar 29 20:48:02 charon 07[ENC] <con1|49> generating CREATE_CHILD_SA request 48 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ] Mar 29 20:48:02 charon 07[CFG] <con1|49> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ Mar 29 20:48:02 charon 07[CFG] <con1|49> 172.23.152.1/32|/0 Mar 29 20:48:02 charon 07[CFG] <con1|49> proposing traffic selectors for other: Mar 29 20:48:02 charon 07[CFG] <con1|49> 0.0.0.0/0|/0 Mar 29 20:48:02 charon 07[CFG] <con1|49> proposing traffic selectors for us: Mar 29 20:48:02 charon 07[IKE] <con1|49> establishing CHILD_SA con1{132} Mar 29 20:48:02 charon 07[IKE] <con1|49> activating CHILD_REKEY task Mar 29 20:48:02 charon 07[IKE] <con1|49> activating new tasks Mar 29 20:48:02 charon 07[IKE] <con1|49> queueing CHILD_REKEY task Mar 29 20:48:02 charon 05[KNL] creating rekey job for CHILD_SA ESP/0xc1b173c9/192.168.10.100</con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49></con1|49>IKE_DPD tasks still after ~8 hours of conn seems gettong ACK form client
Mar 30 00:14:47 charon 01[IKE] <con1|50> nothing to initiate Mar 30 00:14:47 charon 01[IKE] <con1|50> activating new tasks Mar 30 00:14:47 charon 01[ENC] <con1|50> parsed INFORMATIONAL response 152 [ ] Mar 30 00:14:47 charon 01[NET] <con1|50> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 30 00:14:47 charon 01[NET] <con1|50> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 30 00:14:47 charon 01[ENC] <con1|50> generating INFORMATIONAL request 152 [ ] Mar 30 00:14:47 charon 01[IKE] <con1|50> activating IKE_DPD task Mar 30 00:14:47 charon 01[IKE] <con1|50> activating new tasks Mar 30 00:14:47 charon 01[IKE] <con1|50> queueing IKE_DPD task Mar 30 00:14:47 charon 01[IKE] <con1|50> sending DPD request</con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50>after 8 hours pfSense just deletes conn
Mar 30 00:16:33 charon 09[CFG] <con1|50> lease 172.23.152.1 by 'ikemaster' went offline Mar 30 00:16:33 charon 09[IKE] <con1|50> IKE_SA con1[50] state change: DELETING => DESTROYING Mar 30 00:16:33 charon 09[IKE] <con1|50> IKE_SA deleted Mar 30 00:16:33 charon 09[ENC] <con1|50> parsed INFORMATIONAL response 156 [ ] Mar 30 00:16:33 charon 09[NET] <con1|50> received packet: from 192.168.10.121[4500] to 192.168.10.100[4500] (88 bytes) Mar 30 00:16:33 charon 09[NET] <con1|50> sending packet: from 192.168.10.100[4500] to 192.168.10.121[4500] (88 bytes) Mar 30 00:16:33 charon 09[ENC] <con1|50> generating INFORMATIONAL request 156 [ D ] Mar 30 00:16:33 charon 09[IKE] <con1|50> sending DELETE for IKE_SA con1[50] Mar 30 00:16:33 charon 09[IKE] <con1|50> IKE_SA con1[50] state change: ESTABLISHED => DELETING Mar 30 00:16:33 charon 09[IKE] <con1|50> deleting IKE_SA con1[50] between 192.168.10.100[XXXXXX]...192.168.10.121[ikemaster] Mar 30 00:16:33 charon 09[IKE] <con1|50> activating IKE_DELETE task Mar 30 00:16:33 charon 09[IKE] <con1|50> activating new tasks Mar 30 00:16:33 charon 09[IKE] <con1|50> queueing IKE_DELETE task</con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50></con1|50>Bad.
Throughout the test macOS was iperf'ing (set to 24h) one comp within pfSense LAN as well as constant WAN stream (simply run video stream from YT).
It seems that only break part from break before make is working.
-
/var/etc/ipsec/ipsec.conf
# This file is automatically generated. Do not edit config setup uniqueids = yes conn bypasslan leftsubnet = MYCLASSBNET/21 rightsubnet = MYCLASSBNET/21 authby = never type = passthrough auto = route conn con1 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = yes rekey = yes installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = 192.168.10.100 right = %any leftid = fqdn:XXXX ikelifetime = 28800s lifetime = 3600s rightsourceip = MYIKECLASSBNET/24 ike = aes256-sha384-ecp384! esp = aes256-sha256-ecp384! eap_identity=%identity leftauth=pubkey rightauth=eap-tls leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt leftsendcert=always rightca="/C=LV/ST=Riga/L=Riga/O=WARP/emailAddress=XXXXX/CN=XXXXX/“ leftsubnet = 0.0.0.0/0/var/etc/ipsec/strongswan.conf
# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. starter { load_warning = no config_file = /var/etc/ipsec/ipsec.conf } charon { # number of worker threads in charon threads = 16 ikesa_table_size = 32 ikesa_table_segments = 4 init_limit_half_open = 1000 install_routes = no load_modular = yes ignore_acquire_ts = yes cisco_unity = no syslog { identifier = charon # log everything under daemon since it ends up in the same place regardless with our syslog.conf daemon { ike_name = yes dmn = 1 mgr = 1 ike = 2 chd = 2 job = 1 cfg = 2 knl = 1 net = 1 asn = 1 enc = 1 imc = 1 imv = 1 pts = 1 tls = 1 esp = 1 lib = 1 } # disable logging under auth so logs aren't duplicated auth { default = -1 } } plugins { # Load defaults include /var/etc/ipsec/strongswan.d/charon/*.conf stroke { secrets_file = /var/etc/ipsec/ipsec.secrets } unity { load = no } attr { dns = 172.23.160.1 subnet = 0.0.0.0/0 split-include = 0.0.0.0/0 # Search domain and default domain 28674 = "warp" 28675 = "warp" } xauth-generic { script = /etc/inc/ipsec.auth-user.php authcfg = Local Database } } }/usr/local/etc/swanctl/swanctl.conf
# Section defining IKE connection configurations. # connections { # Section for an IKE connection named <conn>. # <conn> { # IKE major version to use for connection. # version = 0 # Local address(es) to use for IKE communication, comma separated. # local_addrs = %any # Remote address(es) to use for IKE communication, comma separated. # remote_addrs = %any # Local UDP port for IKE communication. # local_port = 500 # Remote UDP port for IKE communication. # remote_port = 500 # Comma separated proposals to accept for IKE. # proposals = default # Virtual IPs to request in configuration payload / Mode Config. # vips = # Use Aggressive Mode in IKEv1. # aggressive = no # Set the Mode Config mode to use. # pull = yes # Enforce UDP encapsulation by faking NAT-D payloads. # encap = no # Enables MOBIKE on IKEv2 connections. # mobike = yes # Interval of liveness checks (DPD). # dpd_delay = 0s # Timeout for DPD checks (IKEV1 only). # dpd_timeout = 0s # Use IKE UDP datagram fragmentation. (yes, no or force). # fragmentation = yes # Send certificate requests payloads (yes or no). # send_certreq = yes # Send certificate payloads (always, never or ifasked). # send_cert = ifasked # Number of retransmission sequences to perform during initial connect. # keyingtries = 1 # Connection uniqueness policy (never, no, keep or replace). # unique = no # Time to schedule IKE reauthentication. # reauth_time = 0s # Time to schedule IKE rekeying. # rekey_time = 4h # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. # over_time = 10% of rekey_time/reauth_time # Range of random time to subtract from rekey/reauth times. # rand_time = over_time # Comma separated list of named IP pools. # pools = # Section for a local authentication round. # local <suffix>{ # Optional numeric identifier by which authentication rounds are # sorted. If not specified rounds are ordered by their position in # the config file/VICI message. # round = 0 # Comma separated list of certificate candidates to use for # authentication. # certs = # Comma separated list of raw public key candidates to use for # authentication. # pubkeys = # Authentication to perform locally (pubkey, psk, xauth[-backend] or # eap[-method]). # auth = pubkey # IKE identity to use for authentication round. # id = # Client EAP-Identity to use in EAP-Identity exchange and the EAP # method. # eap_id = id # Server side EAP-Identity to expect in the EAP method. # aaa_id = remote-id # Client XAuth username used in the XAuth exchange. # xauth_id = id # } # Section for a remote authentication round. # remote <suffix>{ # Optional numeric identifier by which authentication rounds are # sorted. If not specified rounds are ordered by their position in # the config file/VICI message. # round = 0 # IKE identity to expect for authentication round. # id = %any # Authorization group memberships to require. # groups = # Comma separated list of certificate to accept for authentication. # certs = # Comma separated list of CA certificates to accept for # authentication. # cacerts = # Comma separated list of raw public keys to accept for # authentication. # pubkeys = # Certificate revocation policy, (strict, ifuri or relaxed). # revocation = relaxed # Authentication to expect from remote (pubkey, psk, xauth[-backend] # or eap[-method]). # auth = pubkey # } # children { # CHILD_SA configuration sub-section. # <child> { # AH proposals to offer for the CHILD_SA. # ah_proposals = # ESP proposals to offer for the CHILD_SA. # esp_proposals = default # Local traffic selectors to include in CHILD_SA. # local_ts = dynamic # Remote selectors to include in CHILD_SA. # remote_ts = dynamic # Time to schedule CHILD_SA rekeying. # rekey_time = 1h # Maximum lifetime before CHILD_SA gets closed, as time. # life_time = rekey_time + 10% # Range of random time to subtract from rekey_time. # rand_time = life_time - rekey_time # Number of bytes processed before initiating CHILD_SA rekeying. # rekey_bytes = 0 # Maximum bytes processed before CHILD_SA gets closed. # life_bytes = rekey_bytes + 10% # Range of random bytes to subtract from rekey_bytes. # rand_bytes = life_bytes - rekey_bytes # Number of packets processed before initiating CHILD_SA # rekeying. # rekey_packets = 0 # Maximum number of packets processed before CHILD_SA gets # closed. # life_packets = rekey_packets + 10% # Range of random packets to subtract from packets_bytes. # rand_packets = life_packets - rekey_packets # Updown script to invoke on CHILD_SA up and down events. # updown = # Hostaccess variable to pass to updown script. # hostaccess = yes # IPsec Mode to establish (tunnel, transport, beet, pass or # drop). # mode = tunnel # Whether to install IPsec policies or not. # policies = yes # Whether to install outbound FWD IPsec policies or not. # policies_fwd_out = no # Action to perform on DPD timeout (clear, trap or restart). # dpd_action = clear # Enable IPComp compression before encryption. # ipcomp = no # Timeout before closing CHILD_SA after inactivity. # inactivity = 0s # Fixed reqid to use for this CHILD_SA. # reqid = 0 # Optional fixed priority for IPsec policies. # priority = 0 # Optional interface name to restrict IPsec policies. # interface = # Netfilter mark and mask for input traffic. # mark_in = 0/0x00000000 # Netfilter mark and mask for output traffic. # mark_out = 0/0x00000000 # Traffic Flow Confidentiality padding. # tfc_padding = 0 # IPsec replay window to configure for this CHILD_SA. # replay_window = 32 # Action to perform after loading the configuration (none, trap, # start). # start_action = none # Action to perform after a CHILD_SA gets closed (none, trap, # start). # close_action = none # } # } # } # } # Section defining secrets for IKE/EAP/XAuth authentication and private key # decryption. # secrets { # EAP secret section for a specific secret. # eap <suffix>{ # Value of the EAP/XAuth secret. # secret = # Identity the EAP/XAuth secret belongs to. # id <suffix>= # } # XAuth secret section for a specific secret. # xauth <suffix>{ # } # IKE preshared secret section for a specific secret. # ike <suffix>{ # Value of the IKE preshared secret. # secret = # IKE identity the IKE preshared secret belongs to. # id <suffix>= # } # Private key decryption passphrase for a key in the private folder. # private <suffix>{ # File name in the private folder for which this passphrase should be # used. # file = # Value of decryption passphrase for private key. # secret = # } # Private key decryption passphrase for a key in the rsa folder. # rsa <suffix>{ # File name in the rsa folder for which this passphrase should be used. # file = # Value of decryption passphrase for RSA key. # secret = # } # Private key decryption passphrase for a key in the ecdsa folder. # ecdsa <suffix>{ # File name in the ecdsa folder for which this passphrase should be # used. # file = # Value of decryption passphrase for ECDSA key. # secret = # } # Private key decryption passphrase for a key in the pkcs8 folder. # pkcs8 <suffix>{ # File name in the pkcs8 folder for which this passphrase should be # used. # file = # Value of decryption passphrase for PKCS#8 key. # secret = # } # PKCS#12 decryption passphrase for a container in the pkcs12 folder. # pkcs12 <suffix>{ # File name in the pkcs12 folder for which this passphrase should be # used. # file = # Value of decryption passphrase for PKCS#12 container. # secret = # } # } # Section defining named pools. # pools { # Section defining a single pool with a unique name. # <name> { # Addresses allocated in pool. # addrs = # Comma separated list of additional attributes from type <attr>. # <attr> = # } # } # Section defining attributes of certification authorities. # authorities { # Section defining a certification authority with a unique name. # <name> { # CA certificate belonging to the certification authority. # cacert = # Comma-separated list of CRL distribution points # crl_uris = # Comma-separated list of OCSP URIs # ocsp_uris = # Defines the base URI for the Hash and URL feature supported by IKEv2. # cert_uri_base = # } # }</name></attr></attr></name></suffix></suffix></suffix></suffix></suffix></suffix></suffix></suffix></suffix></suffix></child></suffix></suffix></conn></conn>/usr/local/etc/strongswan.d/swanctl.conf
swanctl { # Plugins to load in swanctl. # load = }There are some stuff missing as per strongswan docs
rekey_time reauth_time over_time rand_timeI tried find /usr/local/ -name '*' -exec grep -li 'rekey_time' {} ; and it shows up only in /usr/local/etc/swanctl/swanctl.conf, which is basically some commented out template. It seems that conf is loaded from /var/etc/ipsec/strongswan.d/ and find /var/etc/ipsec/strongswan.d/ -name '*' -exec grep -li 'rekey_time' {} ; gives nothing.
My settings in GUI:
DNS Resolver
Added IKEv2 MYIKECLASSBNET/24 to access lists
Certs
CA
Server cert
User with cert
VPN > IPsec > Mobile clients
IKE Extensions: Y
User Authentification: Local DB
Group authentification: none
Virtual Address Pool: Y (/24 network besides my Class B LAN)
Virtual IPv6 Address Pool: N
Network List: Y
Save Xauth Password: N
DNS Default Domain: Y (same as system domain)
Split DNS: N
DNS Servers: Y (pfSense IP)
WINS Servers: N
Phase2 PFS Group: N
Login Banner: N
VPN > IPsec > Pre-Shared Keys
Does not apply
VPN > IPsec > Advanced settings
Configure Unique IDs as: Y
IP Compression: N
Strict interface binding: N
Unencrypted payloads in IKEv1 Main Mode: N
Enable Maximum MSS: N
Enable Cisco Extensions: N
Strict CRL Checking: N
Make before Break: N (thus we are using break-before-make!)
Auto-exclude LAN address: Y
VPN > IPsec > Tunnels > Phase 1
Disabled: N
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN
Description: IKEv2 Phase 1 test
Authentication Method: EAP-TLS
My identifier: Distinguished name (DNS name of router)
Peer identifier: Any
My Certificate: corresponding server cert
Peer Certificate Authority: corresponding ca
Encryption Algorithm: AES-256
Hash Algorithm: SHA384
DH Group: 20 (ecp384)
Lifetime (Seconds): 28800
Disable rekey: N
Disable Reauth: N
Responder Only: N
MOBIKE: Enable
Split connections: N
Dead Peer Detection: Y
Delay: 10
Max faulures: 5
VPN > IPsec > Tunnels > Phase 2
Disabled: N
Mode: Nunnel IPv4
Local network: Network 0.0.0.0/0
NAT/BINAT translation: None
Description: IKEv2 Phase 2 test
Protocol: ESP
Encryption Algorithms: AES-256
Hash Algorithms: SHA256
PSF key group: 20 (ecp384)
Lifetime: 3600 seconds
Automatically ping host: null
Firewall
IPsec pass.
Where to look?
-
Should this be moved to 2.4 development snapshots forum (is this regression thing? as it seems that people are using IKEv2 for site-to-site 24/7 tunnels, so this should work unless i have made a mistale somwhere (that i cannot find))?
Added https://redmine.pfsense.org/issues/7439
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.