IKEv2 with MS-EAP disconnects after 20-30mins



  • Hi,

    I have spent a lot of time trying to gt IKEv2 vpn working with the in-built client from Microsoft and with the good help of the forum, have it working OK-ish. The vpn connects (using Win in-built or StrongSWAN for Mac) OK and is useable either with or without split routing. The problem comes after a period of time (sometimes up to an hour but usually within 30 mins) the client stops tunnelling traffic and the connection needs to be forcibly closed.

    I have managed to capture the below (masked) log of what happens when this occurs and wonder if anybody can help me make sense of it and how I might resolve the problem.

    thanks in advance for looking

    James

    <30>Feb  1 22:08:33 charon: 15[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:08:33.631


    <30>Feb  1 22:08:33 charon: 15[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:08:33.633
    <30>Feb  1 22:08:33 charon: 15[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:08:33.687

    <30>Feb  1 22:08:43 charon: 10[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:08:43.643

    <30>Feb  1 22:08:43 charon: 10[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:08:43.646
    <30>Feb  1 22:08:43 charon: 10[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:08:43.667

    <30>Feb  1 22:08:53 charon: 13[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:08:53.658

    <30>Feb  1 22:08:53 charon: 13[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:08:53.660
    <30>Feb  1 22:08:53 charon: 13[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:08:53.666

    <30>Feb  1 22:09:03 charon: 12[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:09:03.670

    <30>Feb  1 22:09:03 charon: 12[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:09:03.673
    <30>Feb  1 22:09:03 charon: 12[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:09:03.678

    <30>Feb  1 22:09:07 charon: 08[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (428 bytes) 192.168.120.254 01/02 22:09:07.432
    <30>Feb  1 22:09:07 charon: 08[ENC] <con3|14499>parsed CREATE_CHILD_SA request 10 [ SA No TSi TSr ] 192.168.120.254 01/02 22:09:07.434
    <30>Feb  1 22:09:07 charon: 08[IKE] <con3|14499>traffic selectors 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0 inacceptable 192.168.120.254 01/02 22:09:07.435
    <30>Feb  1 22:09:07 charon: 08[IKE] <con3|14499>failed to establish CHILD_SA, keeping IKE_SA 192.168.120.254 01/02 22:09:07.436
    <30>Feb  1 22:09:07 charon: 08[ENC] <con3|14499>generating CREATE_CHILD_SA response 10 [ N(TS_UNACCEPT) ] 192.168.120.254 01/02 22:09:07.438
    <30>Feb  1 22:09:07 charon: 08[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (68 bytes) 192.168.120.254 01/02 22:09:07.439
    <30>Feb  1 22:09:10 charon: 14[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (68 bytes) 192.168.120.254 01/02 22:09:11.163
    <30>Feb  1 22:09:10 charon: 14[ENC] <con3|14499>parsed INFORMATIONAL request 11 [ D ] 192.168.120.254 01/02 22:09:11.165
    <30>Feb  1 22:09:10 charon: 14[IKE] <con3|14499>received DELETE for IKE_SA con3[14499] 192.168.120.254 01/02 22:09:11.168
    <30>Feb  1 22:09:10 charon: 14[IKE] <con3|14499>deleting IKE_SA con3[14499] between 88.211.xxx.xxx[itb-her-gw-1.xxxxxxxx.co.uk]…176.26.31.75[192.168.200.28] 192.168.120.254 01/02 22:09:11.169
    <30>Feb  1 22:09:10 charon: 14[IKE] <con3|14499>IKE_SA deleted 192.168.120.254 01/02 22:09:11.171

    <30>Feb  1 22:09:10 charon: 14[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:09:11.173
    <30>Feb  1 22:09:10 charon: 14[CFG] <con3|14499>lease 192.168.125.3 by 'xxxxxxxx\xxxxx' went offline 192.168.120.254 01/02 22:09:11.175</con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499>



  • Sorted it out myself. If anybody else has this issue, make sure you haven't got 'PFS key group' set to anything else but 'off' - through troubleshooting issues with it not working with latest Insider Release of Windows 10, it got switched on. Doh!



  • Are you sure that the problem is solved?
    We struggle with Windows 10 1607 since some update pack introduced the "feature" that the VPN is hang-up after some short time without traffic. Windows 10 1511 fully patched and Windows 7 are working fine with the very same settings. To reproduce open the VPN, do some ping across the VPN to see its working and than do nothing for around 5 minutes. The next ping fail and the VPN is closed. This is with all Windows 10 1607 machine at patch level higher than around 11/2016.
    It would be nice if you can confirm either that this scenario is working for you or the same error with idle VPN and Windows 10 1607. The "PFS key group" is set to "off" in our case and was never touched.

    Regards

    Andreas