Page MenuHomeVyOS Platform
Create Task
Maniphest T5021

IPsec SA is closed before negotiating a new one or it is negotiated on every second if big life-time is set in swanctl.conf
Closed, ResolvedPublicBUG
Actions

Description

IPsec SA/ESP lifetime set to 300s (low value for testing purpose)

ipsec {
    esp-group test {
        lifetime 300
        mode tunnel
        pfs dh-group14
        proposal 1 {
            encryption aes256
            hash sha256
        }
    }
    ike-group test {
        close-action restart
        dead-peer-detection {
            action restart
            interval 2
            timeout 6
        }
        key-exchange ikev2
        lifetime 86400
        mode main
        proposal 1 {
            dh-group 14
            encryption aes256
            hash sha256
        }
    }
    interface bond0.105
    site-to-site {
        peer 192.168.100.1 {
            authentication {
                id 192.168.200.1
                mode pre-shared-secret
                pre-shared-secret ipsec-test-key
                remote-id 172.17.0.155
            }
            ike-group test
            ikev2-reauth yes
            local-address 192.168.200.1
            tunnel 1 {
                esp-group test
                local {
                    prefix 10.16.211.48/28
                }
                remote {
                    prefix 10.10.10.0/24
                }
            }
            vti {
                bind vti1
            }
        }
    }
}

We can see below that the rekey-time is set to 1h (default) [1] - shorter than the configured life-time

vagrant@test-vyos# sudo swanctl --list-conns
peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s
  local:  192.168.200.1
  remote: 192.168.100.1
  local pre-shared key authentication:
    id: 192.168.200.1
  remote pre-shared key authentication:
    id: 172.17.0.155
  peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 3600s, dpd action is restart
    local:  10.16.211.48/28
    remote: 10.10.10.0/24


vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_192-168-100-1 {
        proposals = aes256-sha256-modp2048
        version = 2
        local_addrs = 192.168.200.1 # dhcp:no
        remote_addrs = 192.168.100.1
        dpd_timeout = 6
        dpd_delay = 2
        rekey_time = 86400s
        mobike = yes
        keyingtries = 0
        local {
            id = "192.168.200.1"
            auth = psk
        }
        remote {
            id = "172.17.0.155"
            auth = psk
        }
        children {
            peer_192-168-100-1_tunnel_1 {
                esp_proposals = aes256-sha256-modp2048
                life_time = 300s
                local_ts = 10.16.211.48/28
                remote_ts = 10.10.10.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = restart
                close_action = start
                updown = "/etc/ipsec.d/vti-up-down vti1"
                if_id_in = 2
                if_id_out = 2
            }
        }
    }

}

pools {
}

secrets {
    ike_192-168-100-1 {
        id-local = 192.168.200.1 # dhcp:no
        id-remote = 192.168.100.1
        id-localid = 192.168.200.1
        id-remoteid = 172.17.0.155
        secret = "ipsec-test-key"
    }
}

Below are logs showing SAs being closed before the new ones are negotiated due to the lifte-time parameter being shorter than the default rekey-time.

Feb 20 12:20:37 test-vyos charon[56803]: 14[KNL] creating delete job for CHILD_SA ESP/0xcf0a98a6/192.168.200.1
Feb 20 12:20:37 test-vyos charon[56803]: 14[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{3} with SPIs cf0a98a6_i 95e831e7_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:20:37 test-vyos charon[56803]: 14[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI cf0a98a6
Feb 20 12:20:37 test-vyos charon[56803]: 14[IKE] <peer_192-168-100-1|1> scheduling CHILD_SA recreate after hard expire
Feb 20 12:20:37 test-vyos charon[56803]: 12[KNL] creating delete job for CHILD_SA ESP/0x95e831e7/192.168.100.1
Feb 20 12:20:37 test-vyos charon[56803]: 10[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 95e831e7
Feb 20 12:20:37 test-vyos charon[56803]: 10[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 12:20:38 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{4}
Feb 20 12:20:38 test-vyos charon[56803]: 09[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 433 [ SA No KE TSi TSr ]
Feb 20 12:20:38 test-vyos charon[56803]: 13[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 433 [ SA No KE TSi TSr ]
Feb 20 12:20:38 test-vyos charon[56803]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{4} established with SPIs c77aab30_i 0e863e37_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:25:38 test-vyos charon[56803]: 11[KNL] creating delete job for CHILD_SA ESP/0xc77aab30/192.168.200.1
Feb 20 12:25:38 test-vyos charon[56803]: 11[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{4} with SPIs c77aab30_i 0e863e37_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:25:38 test-vyos charon[56803]: 11[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c77aab30
Feb 20 12:25:38 test-vyos charon[56803]: 11[IKE] <peer_192-168-100-1|1> scheduling CHILD_SA recreate after hard expire
Feb 20 12:25:38 test-vyos charon[56803]: 16[KNL] creating delete job for CHILD_SA ESP/0x0e863e37/192.168.100.1
Feb 20 12:25:38 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 0e863e37
Feb 20 12:25:38 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 12:25:38 test-vyos charon[56803]: 13[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{5}
Feb 20 12:25:38 test-vyos charon[56803]: 13[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 579 [ SA No KE TSi TSr ]
Feb 20 12:25:38 test-vyos charon[56803]: 07[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 579 [ SA No KE TSi TSr ]
Feb 20 12:25:38 test-vyos charon[56803]: 07[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{5} established with SPIs c334591c_i f0f1fc43_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:30:38 test-vyos charon[56803]: 06[KNL] creating delete job for CHILD_SA ESP/0xc334591c/192.168.200.1
Feb 20 12:30:38 test-vyos charon[56803]: 06[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{5} with SPIs c334591c_i f0f1fc43_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:30:38 test-vyos charon[56803]: 06[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c334591c
Feb 20 12:30:38 test-vyos charon[56803]: 06[IKE] <peer_192-168-100-1|1> scheduling CHILD_SA recreate after hard expire
Feb 20 12:30:38 test-vyos charon[56803]: 14[KNL] creating delete job for CHILD_SA ESP/0xf0f1fc43/192.168.100.1
Feb 20 12:30:38 test-vyos charon[56803]: 05[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI f0f1fc43
Feb 20 12:30:38 test-vyos charon[56803]: 05[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 12:30:39 test-vyos charon[56803]: 08[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{6}
Feb 20 12:30:39 test-vyos charon[56803]: 08[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 724 [ SA No KE TSi TSr ]
Feb 20 12:30:39 test-vyos charon[56803]: 09[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 724 [ SA No KE TSi TSr ]
Feb 20 12:30:39 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{6} established with SPIs cee82609_i 8ae8508e_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:35:39 test-vyos charon[56803]: 09[KNL] creating delete job for CHILD_SA ESP/0xcee82609/192.168.200.1
Feb 20 12:35:39 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{6} with SPIs cee82609_i 8ae8508e_o and TS 10.16.211.48/28 === 10.10.10.0/24

Second case: IPsec SA/ESP lifetime set to 28800s (big value)

```vagrant@test-vyos# sudo swanctl --list-conns
peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s
  local:  192.168.200.1
  remote: 192.168.100.1
  local pre-shared key authentication:
    id: 192.168.200.1
  remote pre-shared key authentication:
    id: 172.17.0.155
  peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 3600s, dpd action is restart
    local:  10.16.211.48/28
    remote: 10.10.10.0/24


vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_192-168-100-1 {
        proposals = aes256-sha256-modp2048
        version = 2
        local_addrs = 192.168.200.1 # dhcp:no
        remote_addrs = 192.168.100.1
        dpd_timeout = 6
        dpd_delay = 2
        rekey_time = 86400s
        mobike = yes
        keyingtries = 0
        local {
            id = "192.168.200.1"
            auth = psk
        }
        remote {
            id = "172.17.0.155"
            auth = psk
        }
        children {
            peer_192-168-100-1_tunnel_1 {
                esp_proposals = aes256-sha256-modp2048
                life_time = 28800s
                local_ts = 10.16.211.48/28
                remote_ts = 10.10.10.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = restart
                close_action = start
                updown = "/etc/ipsec.d/vti-up-down vti1"
                if_id_in = 2
                if_id_out = 2
            }
        }
    }

}

pools {
}

secrets {
    ike_192-168-100-1 {
        id-local = 192.168.200.1 # dhcp:no
        id-remote = 192.168.100.1
        id-localid = 192.168.200.1
        id-remoteid = 172.17.0.155
        secret = "ipsec-test-key"
    }
}

Below logs showing IPsec SAs being renegotiated every second.

Feb 20 13:22:57 test-vyos charon[62904]: 15[KNL] creating rekey job for CHILD_SA ESP/0xc18f05db/192.168.200.1
Feb 20 13:22:57 test-vyos charon[62904]: 15[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{11} reqid 1
Feb 20 13:22:57 test-vyos charon[62904]: 16[KNL] creating rekey job for CHILD_SA ESP/0x84fa691e/192.168.100.1
Feb 20 13:22:57 test-vyos charon[62904]: 15[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 20 [ N(REKEY_SA) SA No KE TSi TSr ]
Feb 20 13:22:57 test-vyos charon[62904]: 08[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 20 [ SA No KE TSi TSr ]
Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{11} established with SPIs ca2f48cc_i 59b5f175_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{11} established with SPIs ca2f48cc_i 59b5f175_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{10} with SPIs c18f05db_i (0 bytes) 84fa691e_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c18f05db
Feb 20 13:22:57 test-vyos charon[62904]: 05[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 84fa691e
Feb 20 13:22:57 test-vyos charon[62904]: 05[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 13:22:58 test-vyos charon[62904]: 06[KNL] creating rekey job for CHILD_SA ESP/0xca2f48cc/192.168.200.1
Feb 20 13:22:58 test-vyos charon[62904]: 06[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{12} reqid 1
Feb 20 13:22:58 test-vyos charon[62904]: 06[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 22 [ N(REKEY_SA) SA No KE TSi TSr ]
Feb 20 13:22:58 test-vyos charon[62904]: 09[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 22 [ SA No KE TSi TSr ]
Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{12} established with SPIs c17a2b67_i 450197f3_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{12} established with SPIs c17a2b67_i 450197f3_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{11} with SPIs ca2f48cc_i (0 bytes) 59b5f175_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI ca2f48cc
Feb 20 13:22:58 test-vyos charon[62904]: 16[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 59b5f175
Feb 20 13:22:58 test-vyos charon[62904]: 16[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 13:22:59 test-vyos charon[62904]: 07[KNL] creating rekey job for CHILD_SA ESP/0xc17a2b67/192.168.200.1
Feb 20 13:22:59 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{13} reqid 1
Feb 20 13:22:59 test-vyos charon[62904]: 12[KNL] creating rekey job for CHILD_SA ESP/0x450197f3/192.168.100.1
Feb 20 13:22:59 test-vyos charon[62904]: 07[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 24 [ N(REKEY_SA) SA No KE TSi TSr ]
Feb 20 13:22:59 test-vyos charon[62904]: 14[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 24 [ SA No KE TSi TSr ]
Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{13} established with SPIs cd49d169_i 1cbe3e1a_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{13} established with SPIs cd49d169_i 1cbe3e1a_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{12} with SPIs c17a2b67_i (0 bytes) 450197f3_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c17a2b67
Feb 20 13:22:59 test-vyos charon[62904]: 06[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 450197f3
Feb 20 13:22:59 test-vyos charon[62904]: 06[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 13:23:00 test-vyos charon[62904]: 05[KNL] creating rekey job for CHILD_SA ESP/0xcd49d169/192.168.200.1
Feb 20 13:23:00 test-vyos charon[62904]: 05[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{14} reqid 1
Feb 20 13:23:00 test-vyos charon[62904]: 11[KNL] creating rekey job for CHILD_SA ESP/0x1cbe3e1a/192.168.100.1
Feb 20 13:23:00 test-vyos charon[62904]: 05[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 26 [ N(REKEY_SA) SA No KE TSi TSr ]
Feb 20 13:23:00 test-vyos charon[62904]: 07[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 26 [ SA No KE TSi TSr ]
Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{14} established with SPIs c451f052_i 0e70b633_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{14} established with SPIs c451f052_i 0e70b633_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{13} with SPIs cd49d169_i (0 bytes) 1cbe3e1a_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI cd49d169
Feb 20 13:23:00 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 1cbe3e1a
Feb 20 13:23:00 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> CHILD_SA closed

Applying a fix to the charon peer.j2 template - the fix sets the IPsec SA rekey-time instead of the life-time parameter as per the documentation [1], it is also the same way IKE timers are set.

IPsec SA/ESP rekey-time set to 300s (low value for testing purpose)

vagrant@test-vyos# sudo swanctl --list-conns
peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s
  local:  192.168.200.1
  remote: 192.168.100.1
  local pre-shared key authentication:
    id: 192.168.200.1
  remote pre-shared key authentication:
    id: 172.17.0.155
  peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 300s, dpd action is restart
    local:  10.16.211.48/28
    remote: 10.10.10.0/24


vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_192-168-100-1 {
        proposals = aes256-sha256-modp2048
        version = 2
        local_addrs = 192.168.200.1 # dhcp:no
        remote_addrs = 192.168.100.1
        dpd_timeout = 6
        dpd_delay = 2
        rekey_time = 86400s
        mobike = yes
        keyingtries = 0
        local {
            id = "192.168.200.1"
            auth = psk
        }
        remote {
            id = "172.17.0.155"
            auth = psk
        }
        children {
            peer_192-168-100-1_tunnel_1 {
                esp_proposals = aes256-sha256-modp2048
                rekey_time = 300s
                local_ts = 10.16.211.48/28
                remote_ts = 10.10.10.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = restart
                close_action = start
                updown = "/etc/ipsec.d/vti-up-down vti1"
                if_id_in = 2
                if_id_out = 2
            }
        }
    }

}

pools {
}

secrets {
    ike_192-168-100-1 {
        id-local = 192.168.200.1 # dhcp:no
        id-remote = 192.168.100.1
        id-localid = 192.168.200.1
        id-remoteid = 172.17.0.155
        secret = "ipsec-test-key"
    }
}

Below logs showing the old IPsec SAs being deleted after new one have been established

Feb 20 12:39:21 test-vyos charon[59520]: 12[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{1}
Feb 20 12:39:21 test-vyos charon[59520]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{1} established with SPIs cb3ed7a6_i a0fd057a_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:44:10 test-vyos charon[59520]: 10[KNL] creating rekey job for CHILD_SA ESP/0xcb3ed7a6/192.168.200.1
Feb 20 12:44:10 test-vyos charon[59520]: 10[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{2} reqid 1
Feb 20 12:44:10 test-vyos charon[59520]: 12[KNL] creating rekey job for CHILD_SA ESP/0xa0fd057a/192.168.100.1
Feb 20 12:44:10 test-vyos charon[59520]: 10[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 136 [ N(REKEY_SA) SA No KE TSi TSr ]
Feb 20 12:44:10 test-vyos charon[59520]: 14[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 136 [ SA No KE TSi TSr ]
Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs c6968ce1_i d4170a38_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs c6968ce1_i d4170a38_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{1} with SPIs cb3ed7a6_i (0 bytes) a0fd057a_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI cb3ed7a6
Feb 20 12:44:10 test-vyos charon[59520]: 15[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI a0fd057a
Feb 20 12:44:10 test-vyos charon[59520]: 15[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 12:48:45 test-vyos charon[59520]: 07[KNL] creating rekey job for CHILD_SA ESP/0xd4170a38/192.168.100.1
Feb 20 12:48:45 test-vyos charon[59520]: 07[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{3} reqid 1
Feb 20 12:48:45 test-vyos charon[59520]: 07[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 275 [ N(REKEY_SA) SA No KE TSi TSr ]
Feb 20 12:48:45 test-vyos charon[59520]: 06[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 275 [ SA No KE TSi TSr ]
Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{3} established with SPIs ca91a8ff_i 0fb4b426_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{3} established with SPIs ca91a8ff_i 0fb4b426_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{2} with SPIs c6968ce1_i (0 bytes) d4170a38_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c6968ce1
Feb 20 12:48:45 test-vyos charon[59520]: 05[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI d4170a38
Feb 20 12:48:45 test-vyos charon[59520]: 05[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Feb 20 12:53:15 test-vyos charon[59520]: 16[KNL] creating rekey job for CHILD_SA ESP/0x0fb4b426/192.168.100.1
Feb 20 12:53:15 test-vyos charon[59520]: 16[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{4} reqid 1

Second case: IPsec SA/ESP rekey-time set to 28800s (big value)

vagrant@test-vyos# sudo swanctl --list-conns
peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s
  local:  192.168.200.1
  remote: 192.168.100.1
  local pre-shared key authentication:
    id: 192.168.200.1
  remote pre-shared key authentication:
    id: 172.17.0.155
  peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 28800s, dpd action is restart
    local:  10.16.211.48/28
    remote: 10.10.10.0/24


vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_192-168-100-1 {
        proposals = aes256-sha256-modp2048
        version = 2
        local_addrs = 192.168.200.1 # dhcp:no
        remote_addrs = 192.168.100.1
        dpd_timeout = 6
        dpd_delay = 2
        rekey_time = 86400s
        mobike = yes
        keyingtries = 0
        local {
            id = "192.168.200.1"
            auth = psk
        }
        remote {
            id = "172.17.0.155"
            auth = psk
        }
        children {
            peer_192-168-100-1_tunnel_1 {
                esp_proposals = aes256-sha256-modp2048
                rekey_time = 28800s
                local_ts = 10.16.211.48/28
                remote_ts = 10.10.10.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = restart
                close_action = start
                updown = "/etc/ipsec.d/vti-up-down vti1"
                if_id_in = 2
                if_id_out = 2
            }
        }
    }

}

pools {
}

secrets {
    ike_192-168-100-1 {
        id-local = 192.168.200.1 # dhcp:no
        id-remote = 192.168.100.1
        id-localid = 192.168.200.1
        id-remoteid = 172.17.0.155
        secret = "ipsec-test-key"
    }
}

Below logs showing new IPsec SAs being established according to the set rekey-time (not longer every each second)

Feb 20 13:24:01 test-vyos charon[63067]: 12[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{1}
Feb 20 13:24:01 test-vyos charon[63067]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{1} established with SPIs c0b657f9_i 794d1ed3_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 20:52:27 test-vyos charon[63067]: 09[KNL] creating rekey job for CHILD_SA ESP/0x794d1ed3/192.168.100.1
Feb 20 20:52:27 test-vyos charon[63067]: 14[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{2} reqid 1
Feb 20 20:52:27 test-vyos charon[63067]: 14[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 12993 [ N(REKEY_SA) SA No KE TSi TSr ]
Feb 20 20:52:27 test-vyos charon[63067]: 08[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 12993 [ SA No KE TSi TSr ]
Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs cbeb7565_i 2fbca740_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs cbeb7565_i 2fbca740_o and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{1} with SPIs c0b657f9_i (0 bytes) 794d1ed3_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24
Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c0b657f9
Feb 20 20:52:27 test-vyos charon[63067]: 13[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 794d1ed3
Feb 20 20:52:27 test-vyos charon[63067]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA closed

[1] https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202302150317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

krox2 created this task.Feb 20 2023, 10:57 PM
krox2 added a comment.Feb 20 2023, 11:22 PM

https://github.com/vyos/vyos-1x/pull/1836

krox2 closed this task as Resolved.Feb 21 2023, 9:48 AM
krox2 claimed this task.

it's fixed already in vyos/vyos-build#293 (although in a different way), just downloaded the newest image and tested it. I'm closing this ticket, apologies for the noise.

pasik added a subscriber: pasik.Feb 21 2023, 12:52 PM