IKEv2 Win mobile client - no traffic after re-key
-
Windows 10/11 client behind NAT
AES128 SHA1 G2 on P1
AES128 SHA1 on P2 with no PFS
(This is just an example of my most recent test. I use another config on new setups)VPN client and IPSec status on the pfsense show everything is still connected but no traffic can pass after the first re-key after around an hour.
I've specifically set all the encryption etc with Powershell so that there is no mis-match in the proposals.
P1 and P2 lifetimes are well above the default Windows lifetimes so that Windows presumably always does the re-keys.
Here is what I think is a log of the re-key:
Dec 7 14:45:54 charon 47973 15[NET] <con-mobile|8086> received packet: from ClientPublicIP[4500] to ServerPublicIP[4500] (300 bytes)
Dec 7 14:45:54 charon 47973 15[ENC] <con-mobile|8086> parsed CREATE_CHILD_SA request 6 [ N(REKEY_SA) SA No TSi TSr ]
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selecting proposal:
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> proposal matches
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selecting traffic selectors for us:
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.2.1.0/24|/0, received: 0.0.0.0/0|/0 => match: 10.2.1.0/24|/0
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.2.1.0/24|/0, received: ::/0|/0 => no match
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.1.1.0/24|/0, received: 0.0.0.0/0|/0 => match: 10.1.1.0/24|/0
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.1.1.0/24|/0, received: ::/0|/0 => no match
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selecting traffic selectors for other:
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.4.2.16/32|/0, received: 0.0.0.0/0|/0 => match: 10.4.2.16/32|/0
Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.4.2.16/32|/0, received: ::/0|/0 => no match
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4269} state change: CREATED => INSTALLING
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> using AES_CBC for encryption
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> using HMAC_SHA1_96 for integrity
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> adding inbound ESP SA
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> SPI 0xc21d9b52, src ClientPublicIP dst ServerPublicIP
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> registering outbound ESP SA
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> SPI 0x83893db2, src ServerPublicIP dst ClientPublicIP
Dec 7 14:45:54 charon 47973 15[IKE] <con-mobile|8086> inbound CHILD_SA con-mobile{4269} established with SPIs c21d9b52_i 83893db2_o and TS 10.1.1.0/24|/0 10.2.1.0/24|/0 === 10.4.2.16/32|/0
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4269} state change: INSTALLING => INSTALLED
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: INSTALLED => REKEYING
Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: REKEYING => REKEYED
Dec 7 14:45:54 charon 47973 15[ENC] <con-mobile|8086> generating CREATE_CHILD_SA response 6 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Dec 7 14:45:54 charon 47973 15[NET] <con-mobile|8086> sending packet: from ServerPublicIP[4500] to ClientPublicIP[4500] (220 bytes)
Dec 7 14:45:54 charon 47973 05[NET] <con-mobile|8086> received packet: from ClientPublicIP[4500] to ServerPublicIP[4500] (76 bytes)
Dec 7 14:45:54 charon 47973 05[ENC] <con-mobile|8086> parsed INFORMATIONAL request 7 [ D ]
Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> received DELETE for ESP CHILD_SA with SPI 976a3f4e
Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> closing CHILD_SA con-mobile{4265} with SPIs c898f5e4_i (187547 bytes) 976a3f4e_o (318632 bytes) and TS 10.1.1.0/24|/0 10.2.1.0/24|/0 === 10.4.2.16/32|/0
Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> sending DELETE for ESP CHILD_SA with SPI c898f5e4
Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: REKEYED => DELETING
Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> CHILD_SA closed
Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: DELETING => DELETED
Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> adding outbound ESP SA
Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> SPI 0x83893db2, src ServerPublicIP dst ClientPublicIP
Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> outbound CHILD_SA con-mobile{4269} established with SPIs c21d9b52_i 83893db2_o and TS 10.1.1.0/24|/0 10.2.1.0/24|/0 === 10.4.2.16/32|/0
Dec 7 14:45:54 charon 47973 05[ENC] <con-mobile|8086> generating INFORMATIONAL response 7 [ D ]
Dec 7 14:45:54 charon 47973 05[NET] <con-mobile|8086> sending packet: from ServerPublicIP[4500] to ClientPublicIP[4500] (76 bytes)
Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> queueing CHILD_DELETE task
Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> activating new tasks
Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> activating CHILD_DELETE task
Dec 7 14:45:56 charon 47973 09[CHD] <con1|8079> CHILD_SA con1{4266} state change: DELETED => DESTROYING
Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> activating new tasks
Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> nothing to initiate
Dec 7 14:45:59 charon 47973 09[IKE] <con-mobile|8086> queueing CHILD_DELETE task
Dec 7 14:45:59 charon 47973 09[IKE] <con-mobile|8086> activating new tasks
Dec 7 14:45:59 charon 47973 09[IKE] <con-mobile|8086> activating CHILD_DELETE task
Dec 7 14:45:59 charon 47973 09[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: DELETED => DESTROYING -
I just tried with PFS and still same issue. Any ideas anyone?
-
I finally got a working test without the issue. Issue only occurs with RADIUS authentication and EAP-RADIUS. EAP-MSCHAPv2 with local user/PSK list does not have the issue.