We have had an issue in 1.1.8 with users being disconnected and not able to reconnect for about 1 1/2 hours.
An upgrade to 1.2.1 does not seem to fix this.
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.28-amd64-vyos, x86_64): uptime: 5 days, since Apr 17 21:51:27 2019 malloc: sbrk 1892352, mmap 0, used 816912, free 1075440 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Listening IP addresses: <myip> Connections: remote-access: <myip>...%any IKEv1, dpddelay=15s remote-access: local: [<myip>] uses pre-shared key authentication remote-access: remote: uses pre-shared key authentication remote-access: child: dynamic[0/l2f] === dynamic TRANSPORT, dpdaction=clear Security Associations (1 up, 0 connecting): remote-access[9]: ESTABLISHED 4 days ago, <myip>[<myip>]...<remoteip>[192.168.86.233] remote-access[9]: IKEv1 SPIs: 312521118b937676_i 4e6a19cdc71b0bff_r*, rekeying disabled remote-access[9]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 remote-access{17}: INSTALLED, TRANSPORT, reqid 12, ESP in UDP SPIs: ca2677d8_i da308546_o remote-access{17}: 3DES_CBC/HMAC_SHA1_96, 623481 bytes_i (3847 pkts, 1465s ago), 3717233 bytes_o (19435 pkts, 417916s ago), rekeying disabled remote-access{17}: <myip>/32[udp/l2f] === <remoteip>/32[udp/l2f] [email protected]:~$ show vpn ipsec sa Connection State Up Bytes In/Out Remote address Remote ID Proposal ------------ ------- ---- -------------- ---------------- ----------- ---------- [email protected]:~$ show vpn remote-access No active remote access VPN sessions
An ipsec statusall shows the user as connected. But the Vyos commands do not see this connection.
Only when we run ipsec restart the user can connect again, after this session is terminated.
Waiting for 1 1/2 hours seems to drop this connection and the user can connect again without our help.