IPSEC connects, Works for a while and then freezes



  • Hi,

    Having a very weird issue where IPSEC IKEv2 between 2 boxes, connects works for around 1-2 hours and then freezes, have to constantly restart ipsec service to make it work.

    log shows that the tunnel is still active on both side but no traffic can pass through.

    I have deleted and created tunnels on both ends, changed key life time from default to lower. tried both IKE 1 and 2..

    out of ideas.. all help is appreciated.

    regards



  • Tried all above for the second day but still getting the same issue of IPSEC showing as connected but nothing getting through. >:(

    EDIT: Seems to be a rekeying issue,

    Log entries as follow:

    Feb 16 16:49:50 charon: 07[ENC] generating CREATE_CHILD_SA request 141 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Feb 16 16:49:50 charon: 07[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (252 bytes)
    Feb 16 16:49:50 charon: 07[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes)
    Feb 16 16:49:50 charon: 07[ENC] parsed CREATE_CHILD_SA response 141 [ N(NO_PROP) ]
    Feb 16 16:49:50 charon: 07[IKE] <con1|2>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    Feb 16 16:49:50 charon: 07[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    Feb 16 16:49:50 charon: 07[IKE] <con1|2>failed to establish CHILD_SA, keeping IKE_SA
    Feb 16 16:49:50 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
    Feb 16 16:49:50 charon: 07[IKE] <con1|2>CHILD_SA rekeying failed, trying again in 20 seconds
    Feb 16 16:49:50 charon: 07[IKE] CHILD_SA rekeying failed, trying again in 20 seconds

    the log keeps repeating itself until the tunnel is manually disconnected and reconnected.

    All advise is appreciated.

    regards</con1|2></con1|2></con1|2>