New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[IKEv2] Deleting connection instance with peer after 1 hour #913
Comments
On Tue, 19 Jan 2021, ochbob wrote:
Subject: [hwdsl2/setup-ipsec-vpn] [IKEv2] Deleting connection instance with peer after 1 hour (#913)
Jan 19 19:22:50 pluto[23531]: "ikev2-cp"[5] #1022: IPsec SA established tunnel mode {ESPinUDP=>0x018edf78 <0x642ac48b xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA
=none NATD=:4500 DPD=active}
Jan 19 19:22:50 pluto[23531]: "ikev2-cp"[5] #21: received Delete SA payload: expire IPsec State #1021 now
is this normal behavior?
Yes. Windows has decided there is no more reason to keep the tunnel up,
and brings it down. Nothing libreswan can do.
|
Thank you. But there is trafic on VPN when Windows brings it down... Any workaround ? Maybe a specific settings ? |
On Tue, 19 Jan 2021, ochbob wrote:
But there is trafic on VPN when Windows brings it down...
Any workaround ? Maybe a specific settings ?
that would be a windows bug then :/
lifetimes are not negotiated, so it's all up to windows.
Paul
|
:( I will search on Windows side then, thank you for fast answer anyway :D |
Thanks for the answers @letoams! [1] https://libreswan.org/man/ipsec.conf.5.html |
- Fix an issue with IKEv2 disconnecting after one hour due to IKE SA expiration, by setting ikelifetime and salifetime to 24h. Ref: #913 #844 https://libreswan.org/man/ipsec.conf.5.html
Tested and confirmed that this issue (IKEv2 disconnect after one hour) is fixed with 7d9f2c6.
Question for @letoams: I tested with iOS, macOS and Windows clients, and found that when the server has setting Libreswan logs around the time of disconnect are below. The macOS client disconnected around
[1] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 |
I have found a workaround with this tool which work really great (Auto-reconnect) : http://vpnlifeguard.blogspot.com/p/english.html Will definitevely uprgade my server conf, but I do not have this configuration file ? Edit: OK nevermind, I changed it in my configuration file => Thank you ! |
On Wed, 20 Jan 2021, Lin Song wrote:
Tested and confirmed that this issue (IKEv2 disconnect after one hour) is fixed with 7d9f2c6.
To fix on your server, please append the following lines to /etc/ipsec.d/ikev2.conf, indented by two spaces, then run sudo
service ipsec restart.
ikelifetime=24h
salifetime=24h
Question for @letoams: I tested with iOS, macOS and Windows clients, and found that when the server has setting rekey=no,
Libreswan disconnects the IKEv2 VPN connection after about 60 minutes, which is the default ikelifetime. The client will
then show "Not connected". Is this behavior normal? It looks like rekey=no is the suggested setting [1], and setting
rekey=yes might not work as intended if the client is behind NAT [2]. The disconnect issue is fixed after I set
ikelifetime and salifetime to 24h on the server.
See my answer to the other bug report #405
With libreswan 4.1 you _can_ also use rekey=yes on the server side. But
some clients don't like the server rekeying instead of them rekeying,
so your fix to set lifetimes to 24h is the best fix.
Paul
|
With IKEv1, the IKE SA could expire while retaining the IPsec SA. Which meant an IKE SA of 1h would not affect an IPsec SA of 8h. With IKEv2, if the IKE SA expires, it takes down all IPsec SA's as well. As a result, the same default for ikelifetime= causes very different behaviour between IKEv1 and IKEv2 when rekey=no is set. While it is possible with libreswan 4.x to set rekey=yes on the server side, to ensure the connection stays up, often clients (eg Windows) do not like it when the server initiates a rekey to them. This was reported at various places. Some examples: Resolves: #405 Resolves: hwdsl2/setup-ipsec-vpn#913 Resolves: #362
- Fix an issue with IKEv2 disconnecting after one hour due to IKE SA expiration, by setting ikelifetime and salifetime to 24h. Ref: hwdsl2#913 hwdsl2#844 https://libreswan.org/man/ipsec.conf.5.html
Hello,
I'm running libreswan 4.1 on Debian Buster (updated) with 4.9 kernel , everything works great, but I have one user who is connected with Windows 10 (updated) and after 1 hour he is disconnected.
He is my only one user so I can't test with other client.
Last log before disconnection:
IKEv2 conf:
Is this normal behavior?
Any ideas ?
Thank you very much.
The text was updated successfully, but these errors were encountered: