IKEV2 disconnects every 1 hour or so #362

ndjfhk · 2020-09-02T14:40:44Z

ug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: local IKE proposals (IKE SA responder matching remote proposals):
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 5:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 6:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP1024
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N,CP,SA,TSi,TSr}
Aug 31 08:12:06 vultr pluto[1464]: loading root certificate cache
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: certificate verified OK: O=IKEv2 VPN,CN=vpnclient
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpnclient, O=IKEv2 VPN'
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: Authenticated using RSA with IKEv2_AUTH_HASH_SHA1
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals):
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-DISABLED
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-DISABLED
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-DISABLED
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] *************: 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-DISABLED
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] : 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-DISABLED
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: proposal 1:ESP=AES_CBC_256-HMAC_SHA1_96-DISABLED SPI=a04a6982 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match] 2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #96: negotiated connection [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0]
Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #96: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0xa04a6982 <0x4a19ec9b xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=:21501 DPD=active}
Aug 31 08:17:01 vultr CRON[7584]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 31 08:17:01 vultr CRON[7584]: pam_unix(cron:session): session closed for user root
Aug 31 08:17:06 vultr pluto[1464]: destroying root certificate cache
Aug 31 08:28:29 vultr sshd[7599]: Accepted password for root from ************* port 57926 ssh2
Aug 31 08:28:29 vultr sshd[7599]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 31 08:28:29 vultr systemd-logind[400]: New session 167 of user root.
Aug 31 08:28:29 vultr systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Aug 31 08:28:31 vultr sshd[7614]: Accepted password for root from ************* port 57927 ssh2
Aug 31 08:28:31 vultr sshd[7614]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 31 08:28:31 vultr systemd-logind[400]: New session 169 of user root.
Aug 31 08:28:50 vultr sshd[7809]: Accepted password for root from ************* port 57928 ssh2
Aug 31 08:28:50 vultr sshd[7809]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 31 08:28:50 vultr systemd-logind[400]: New session 170 of user root.
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: local ESP/AH proposals (CREATE_CHILD_SA responder matching remote ESP/AH proposals):
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-DISABLED
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-DISABLED
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-DISABLED
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-DISABLED
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] : 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-DISABLED
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: proposal 1:ESP=AES_CBC_256-HMAC_SHA1_96-DISABLED SPI=f0cc90d8 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match] 2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: negotiated new IPsec SA [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0]
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: negotiated connection [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0]
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0xf0cc90d8 <0x61e3dac4 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=:21501 DPD=active}
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: received Delete SA payload: expire IPsec State #96 now
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: STATE_PARENT_R2: received v2I2, PARENT SA established
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #96: deleting state (STATE_V2_IPSEC_R) aged 3345.431s and NOT sending notification
Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #96: ESP traffic information: in=4MB out=30MB
Aug 31 09:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: IKE SA expired (--dontrekey)
Aug 31 09:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: deleting other state #97 (STATE_V2_IPSEC_R) aged 254.703s and sending notification
Aug 31 09:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: ESP traffic information: in=221KB out=558KB
Aug 31 09:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: deleting state (STATE_PARENT_R2) aged 3600.254s and sending notification
Aug 31 09:12:06 vultr pluto[1464]: #95: deleting connection "ikev2-cp"[22] ************* instance with peer ************* {isakmp=#0/ipsec=#0}
Aug 31 09:12:06 vultr pluto[1464]: packet from *************:21501: ISAKMP_v2_INFORMATIONAL message response has no matching IKE SA
Aug 31 09:12:06 vultr pluto[1464]: packet from *************:21501: ISAKMP_v2_INFORMATIONAL message response has no matching IKE SA

This is the log, thanks for your answer

letoams · 2020-09-02T16:09:48Z

On Wed, 2 Sep 2020, ndjfhk wrote: Subject: [libreswan/libreswan] IKEV2 disconnects every 1 hour or so (#362) Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #96: negotiated connection [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] Aug 31 08:12:06 vultr pluto[1464]: "ikev2-cp"[22] ************* #96: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0xa04a6982 <0x4a19ec9b xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=:21501 DPD=active}

original connection establishes.

Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: local ESP/AH proposals (CREATE_CHILD_SA responder matching remote ESP/AH proposals): Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-DISABLED Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-DISABLED Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-DISABLED Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] *************: 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-DISABLED Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] : 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-DISABLED Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: proposal 1:ESP=AES_CBC_256-HMAC_SHA1_96-DISABLED SPI=f0cc90d8 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match] 2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: negotiated new IPsec SA [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: negotiated connection [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #97: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0xf0cc90d8 <0x61e3dac4 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=:21501 DPD=active}

Rekey performed because the remote end initiated one.

Aug 31 09:07:52 vultr pluto[1464]: "ikev2-cp"[22] ************* #95: received Delete SA payload: expire IPsec State #96 now

Remote sends a delete immediately. This should not happen. Look at the logs of the remote on why it is not happy. It is strange since we did respond to them, so it shouldn't have send any proposals that we could accept that it did not like ? Paul

hwdsl2 mentioned this issue Jan 20, 2021

IKEv2 disconnects after one hour #405

Closed

libreswan closed this as completed in 6b7b51d Jan 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IKEV2 disconnects every 1 hour or so #362

IKEV2 disconnects every 1 hour or so #362

ndjfhk commented Sep 2, 2020

letoams commented Sep 2, 2020 via email

IKEV2 disconnects every 1 hour or so #362

IKEV2 disconnects every 1 hour or so #362

Comments

ndjfhk commented Sep 2, 2020

letoams commented Sep 2, 2020 via email