Comments (4)
You refer to rekeyings, but if you see IKE_SA_INITs, then those are not rekeyings but possibly reauthentications or simply reestablishments. If strongSwan initiates reauthentications, it will use the previous IPs and ports (i.e. usually 4500). Only if that fails and the SAs have to be reestablished, will it re-resolve addresses and revert back to the original ports (usually 500).
You need to have a closer look at the exchanged packets. Packets sent to port 4500 have to be prefixed with a non-ESP marker (4 zero bytes after the UDP header), if that's not the case, they won't reach the IKE daemon. Likewise, packets sent to port 500 should not have such a marker.
from strongswan.
I've checked the packets now, Strongswan definitely does include the 4 zero bytes non-ESP marker after the UDP header when sending on 4500. And the other endpoint doesn't have the non-ESP marker in its port 500 packets.
Packet 1 (Strongswan to Cisco, non-ESP marker present on 4500):
Packet 3 (Cisco to Strongswan, non-ESP marker not present on 500):
from strongswan.
Try checking whether anything is logged about these packets (maybe increase the log level for net). Also make sure there is only a single IKE daemon running and that no firewall rules (e.g. installed by an updown script) block the packets.
from strongswan.
I wasn't able to get any more lower level information about these packets. The tunnel was reverted back to IKEv1 and it has been stable since. Would have liked to get to the bottom of the problem with IKEv2 but looks to be related to Cisco's handling of IKE on 4500 and not something Strongswan was doing.
from strongswan.
Related Issues (20)
- Reject ECDSA Keys/Certificates With Explicitly Encoded Curve Parameters
- Libsharon crashes (somehow related to ppk_id) HOT 3
- Mobike Port Change unable to add attribute, buffer too small HOT 4
- pki --req --san add support for uri HOT 5
- Support for X.509 nameConstraints in the openssl plugin
- Support for X.509 nameConstraints of type iPAddress
- Adopt subjectKeyIdentifier of CA certificate as authorityKeyIdentifier if available
- IPsec set two IP address on 'left' options. Tunnel hints are always built on the first IP, but are actually built on the second IP HOT 5
- AndroidTV / FireTV App Problems HOT 1
- Segmentation fault in x509_ocsp_response.c:896 HOT 5
- Maybe add support for SHA2_512 in pubkey_authenticator.c ? HOT 2
- no NDK aarch64-linux-android-gcc on $PATH at (eval 10) line 142. HOT 3
- Add ssl=on parameter to mysql plugin. HOT 6
- FORTIFY: pthread_mutex_lock called on a destroyed mutex HOT 1
- charon-systemd Preemptively Exiting on Kernel alg Debugging Messages HOT 1
- segfault when compiled with leak-detective enabled and systemd >=254 HOT 3
- potential automatic mangle rules issues w.r.t. mark_in and mark_out settings HOT 3
- StrongSwan 6 beta 5 | Failed to generate a common proposal even though there is an acceptable choice HOT 3
- StrongSwan 6 Beta 5 integration with liboqs 0.9.1 | Getting error "negotiated key exchange method KYBER_L3 not supported" HOT 2
- Allow comparing connection/child configuration with reported status HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.