IPSEC unstable



  • I had a few remote sites lose IPSEC connectivity. Disconnect and Reconnect restored the IPSEC tunnel.
    Upgraded to 2.3.1_1

    Logs show x.x.x.x as HQ, y.y.y.y are remote site.

    Jun 2 12:18:54	charon		14[IKE] <con1|7> authentication of 'x.x.x.x' with pre-shared key successful
    Jun 2 12:18:54	charon		14[IKE] <con1|7> IKE_SA con1[7] established between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
    Jun 2 12:18:54	charon		14[IKE] <con1|7> scheduling reauthentication in 27947s
    Jun 2 12:18:54	charon		14[IKE] <con1|7> maximum IKE_SA lifetime 28487s
    Jun 2 12:18:54	charon		14[IKE] <con1|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jun 2 12:18:54	charon		09[ENC] <con1|8> parsed CREATE_CHILD_SA request 2 [ EF(1/2) ]
    Jun 2 12:18:54	charon		14[IKE] <con1|7> CHILD_SA con1{90} established with SPIs c95025fa_i caca0029_o and TS 10.0.6.0/24|/0 === 10.0.4.0/24|/0
    Jun 2 12:18:54	charon		14[IKE] <con1|7> received AUTH_LIFETIME of 27806s, scheduling reauthentication in 27266s
    Jun 2 12:18:54	charon		09[ENC] <con1|8> received fragment #1 of 2, waiting for complete IKE message
    Jun 2 12:18:54	charon		10[NET] <con1|8> received packet: from x.x.x.x[500] to y.y.y.y[500] (304 bytes)
    Jun 2 12:18:54	charon		10[ENC] <con1|8> parsed CREATE_CHILD_SA request 2 [ EF(2/2) ]
    Jun 2 12:18:54	charon		10[ENC] <con1|8> received fragment #2 of 2, reassembling fragmented IKE message
    Jun 2 12:18:54	charon		10[ENC] <con1|8> parsed CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Jun 2 12:18:55	charon		10[IKE] <con1|8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jun 2 12:18:55	charon		10[IKE] <con1|8> CHILD_SA con1{92} established with SPIs cb88e2da_i cf855ebb_o and TS 10.0.6.0/24|/0 === 10.0.4.0/24|/0
    Jun 2 12:18:55	charon		10[ENC] <con1|8> generating CREATE_CHILD_SA response 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Jun 2 12:18:55	charon		10[NET] <con1|8> sending packet: from y.y.y.y[500] to x.x.x.x[500] (196 bytes)
    Jun 2 12:49:43	charon		12[KNL] <con1|7> unable to query SAD entry with SPI caca0029: No such file or directory (2)
    Jun 2 12:49:43	charon		12[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:49:49	charon		11[KNL] <con1|7> unable to query SAD entry with SPI caca0029: No such file or directory (2)
    Jun 2 12:49:49	charon		11[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:49:55	charon		06[KNL] <con1|7> unable to query SAD entry with SPI caca0029: No such file or directory (2)
    Jun 2 12:49:55	charon		06[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:50:01	charon		07[KNL] <con1|7> unable to query SAD entry with SPI caca0029: No such file or directory (2)
    Jun 2 12:50:01	charon		07[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:50:07	charon		13[KNL] <con1|7> unable to query SAD entry with SPI caca0029: No such file or directory (2)
    Jun 2 12:50:07	charon		13[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:50:12	charon		13[CFG] received stroke: terminate 'con1'
    Jun 2 12:50:12	charon		15[IKE] <con1|7> deleting IKE_SA con1[7] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
    Jun 2 12:50:12	charon		15[IKE] <con1|7> sending DELETE for IKE_SA con1[7]
    Jun 2 12:50:12	charon		15[ENC] <con1|7> generating INFORMATIONAL request 2 [ D ]
    Jun 2 12:50:12	charon		15[NET] <con1|7> sending packet: from y.y.y.y[500] to x.x.x.x[500] (68 bytes)
    Jun 2 12:50:12	charon		15[NET] <con1|7> received packet: from x.x.x.x[500] to y.y.y.y[500] (60 bytes)
    Jun 2 12:50:12	charon		15[ENC] <con1|7> parsed INFORMATIONAL response 2 [ ]
    Jun 2 12:50:12	charon		15[IKE] <con1|7> IKE_SA deleted
    Jun 2 12:50:12	charon		15[KNL] <con1|7> unable to query SAD entry with SPI caca0029: No such file or directory (2)
    Jun 2 12:50:12	charon		15[KNL] <con1|7> unable to delete SAD entry with SPI caca0029: No such file or directory (2)
    Jun 2 12:50:12	charon		15[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:50:16	charon		13[CFG] received stroke: terminate 'con1'
    Jun 2 12:50:16	charon		15[IKE] <con1|8> deleting IKE_SA con1[8] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
    Jun 2 12:50:16	charon		15[IKE] <con1|8> sending DELETE for IKE_SA con1[8]
    Jun 2 12:50:16	charon		15[ENC] <con1|8> generating INFORMATIONAL request 0 [ D ]
    Jun 2 12:50:16	charon		15[NET] <con1|8> sending packet: from y.y.y.y[500] to x.x.x.x[500] (68 bytes)
    Jun 2 12:50:16	charon		10[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:50:18	charon		09[CFG] received stroke: terminate 'con1'
    Jun 2 12:50:18	charon		08[IKE] <con1|8> destroying IKE_SA in state DELETING without notification
    Jun 2 12:50:18	charon		08[KNL] <con1|8> unable to query SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:50:18	charon		08[KNL] <con1|8> unable to delete SAD entry with SPI cee9e020: No such file or directory (2)
    Jun 2 12:50:18	charon		08[CFG] received stroke: initiate 'con1'
    Jun 2 12:50:18	charon		16[IKE] <con1|9> initiating IKE_SA con1[9] to x.x.x.x
    Jun 2 12:50:18	charon		16[ENC] <con1|9> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Jun 2 12:50:18	charon		16[NET] <con1|9> sending packet: from y.y.y.y[500] to x.x.x.x[500] (332 bytes)
    Jun 2 12:50:18	charon		16[NET] <con1|9> received packet: from x.x.x.x[500] to y.y.y.y[500] (332 bytes)
    Jun 2 12:50:18	charon		16[ENC] <con1|9> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Jun 2 12:50:18	charon		16[IKE] <con1|9> authentication of 'y.y.y.y' (myself) with pre-shared key
    Jun 2 12:50:18	charon		16[IKE] <con1|9> establishing CHILD_SA con1
    Jun 2 12:50:18	charon		16[ENC] <con1|9> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Jun 2 12:50:18	charon		11[KNL] creating acquire job for policy y.y.y.y/32|/0 === x.x.x.x/32|/0 with reqid {1}
    Jun 2 12:50:18	charon		16[ENC] <con1|9> splitting IKE message with length of 828 bytes into 2 fragments
    Jun 2 12:50:18	charon		16[ENC] <con1|9> generating IKE_AUTH request 1 [ EF(1/2) ]
    Jun 2 12:50:18	charon		16[ENC] <con1|9> generating IKE_AUTH request 1 [ EF(2/2) ]
    Jun 2 12:50:18	charon		16[NET] <con1|9> sending packet: from y.y.y.y[500] to x.x.x.x[500] (544 bytes)
    Jun 2 12:50:18	charon		16[NET] <con1|9> sending packet: from y.y.y.y[500] to x.x.x.x[500] (344 bytes)
    Jun 2 12:50:18	charon		16[NET] <con1|9> received packet: from x.x.x.x[500] to y.y.y.y[500] (212 bytes)
    Jun 2 12:50:18	charon		16[ENC] <con1|9> parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
    Jun 2 12:50:18	charon		16[IKE] <con1|9> authentication of 'x.x.x.x' with pre-shared key successful
    Jun 2 12:50:18	charon		16[IKE] <con1|9> IKE_SA con1[9] established between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
    Jun 2 12:50:18	charon		16[IKE] <con1|9> scheduling reauthentication in 27781s
    Jun 2 12:50:18	charon		16[IKE] <con1|9> maximum IKE_SA lifetime 28321s
    Jun 2 12:50:18	charon		16[IKE] <con1|9> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jun 2 12:50:18	charon		16[IKE] <con1|9> CHILD_SA con1{93} established with SPIs c88fe3d7_i c0ca3d0c_o and TS 10.0.6.0/24|/0 === 10.0.4.0/24|/0
    Jun 2 12:50:18	charon		16[IKE] <con1|9> received AUTH_LIFETIME of 27863s, scheduling reauthentication in 27323s
    Jun 2 12:50:18	charon		16[IKE] <con1|9> establishing CHILD_SA con1{1}
    Jun 2 12:50:18	charon		16[ENC] <con1|9> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Jun 2 12:50:18	charon		16[ENC] <con1|9> splitting IKE message with length of 788 bytes into 2 fragments
    Jun 2 12:50:18	charon		16[ENC] <con1|9> generating CREATE_CHILD_SA request 2 [ EF(1/2) ]
    Jun 2 12:50:18	charon		16[ENC] <con1|9> generating CREATE_CHILD_SA request 2 [ EF(2/2) ]
    Jun 2 12:50:18	charon		16[NET] <con1|9> sending packet: from y.y.y.y[500] to x.x.x.x[500] (544 bytes)
    Jun 2 12:50:18	charon		16[NET] <con1|9> sending packet: from y.y.y.y[500] to x.x.x.x[500] (304 bytes)
    Jun 2 12:50:18	charon		16[NET] <con1|9> received packet: from x.x.x.x[500] to y.y.y.y[500] (196 bytes)
    Jun 2 12:50:18	charon		16[ENC] <con1|9> parsed CREATE_CHILD_SA response 2 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Jun 2 12:50:18	charon		16[IKE] <con1|9> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jun 2 12:50:18	charon		16[IKE] <con1|9> CHILD_SA con1{94} established with SPIs c8278eee_i ccf2c70a_o and TS 10.0.6.0/24|/0 === 10.0.4.0/24|/0
    Jun 2 12:50:24	charon		06[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:50:30	charon		05[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:50:36	charon		07[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:50:42	charon		10[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:50:48	charon		15[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:50:54	charon		10[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:51:00	charon		15[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:51:06	charon		10[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)
    Jun 2 12:51:11	charon		15[KNL] <con1|9> unable to query SAD entry with SPI c0ca3d0c: No such file or directory (2)</con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|8></con1|7></con1|8></con1|7></con1|8></con1|7></con1|8></con1|7></con1|8></con1|7></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|7></con1|7></con1|8></con1|7></con1|7></con1|7></con1|7></con1|7>