Hello,
I have a problem with an ipsec tunnel between a srx240 (running junos 12.1X44-D35.5) and a linux strongswan
Tunnel goes up and is working fine but when ike lifetime is reached, it goes down and i have to manually enter "restart ipsec-key-management"
I have the exact same configuration on another srx240 and renegotiation is fine
Here is some logs of when it occurs and my configuration :
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] LOCAL_PUBLIC_IP:500 (Initiator) <-> REMOTE_PUBLIC_IP:500 { ff1ba6ef 062fcec0 - a0f1808c c400115e [-1] / unknown } IP; Expiring negotiation
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_alloc_negotiation: Start, SA = { ff1ba6ef 062fcec0 - a0f1808c c400115e}
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_alloc_negotiation: Found slot 1, max 2
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] <none>:500 (Initiator) <-> REMOTE_PUBLIC_IP:500 { ff1ba6ef 062fcec0 - a0f1808c c400115e [1] / 0xcb4e5cbe } Info; Output of phase 2 IV hash[8] = 0x0186f4f2 f67ea6b0
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_init_info_exchange: Created random message id = cb4e5cbe
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_init_info_exchange: Phase 1 done, use HASH and N or D payload
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] <none>:500 (Initiator) <-> REMOTE_PUBLIC_IP:500 { ff1ba6ef 062fcec0 - a0f1808c c400115e [1] / 0xcb4e5cbe } Info; Sending delete notify back
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_encode_packet: Start, SA = { 0xff1ba6ef 062fcec0 - a0f1808c c400115e } / cb4e5cbe, nego = 1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_encode_packet: Encrypting packet
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_encode_packet: Final length = 84
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_expire_callback: Sending notification to REMOTE_PUBLIC_IP:500
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_send_packet: Start, send SA = { ff1ba6ef 062fcec0 - a0f1808c c400115e}, nego = 1, dst = REMOTE_PUBLIC_IP:500, routing table id = 0
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_delete_negotiation: Start, SA = { ff1ba6ef 062fcec0 - a0f1808c c400115e}, nego = 1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] <none>:500 (Initiator) <-> REMOTE_PUBLIC_IP:500 { ff1ba6ef 062fcec0 - a0f1808c c400115e [1] / 0xcb4e5cbe } Info; Deleting negotiation
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_negotiation_info: Start, nego = 1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_negotiation: Start, nego = 1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_remove_callback: Start, delete SA = { ff1ba6ef 062fcec0 - a0f1808c c400115e}, nego = -1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] LOCAL_PUBLIC_IP:500 (Initiator) <-> REMOTE_PUBLIC_IP:500 { ff1ba6ef 062fcec0 - a0f1808c c400115e [-1] / unknown } IP; Removing negotiation
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_delete_negotiation: Start, SA = { ff1ba6ef 062fcec0 - a0f1808c c400115e}, nego = -1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] LOCAL_PUBLIC_IP:500 (Initiator) <-> REMOTE_PUBLIC_IP:500 { ff1ba6ef 062fcec0 - a0f1808c c400115e [-1] / unknown } IP; Deleting negotiation
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_sa_delete: Start, SA = { ff1ba6ef 062fcec0 - a0f1808c c400115e }
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_negotiation_qm: Start, nego = 0
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_negotiation: Start, nego = 0
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_id_payload: Start, id type = 4
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_id_payload: Start, id type = 4
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_id_payload: Start, id type = 4
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_id_payload: Start, id type = 4
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_negotiation_isakmp: Start, nego = -1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_negotiation: Start, nego = -1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ikev2_fb_isakmp_sa_freed: Received notification from the ISAKMP library that the IKE SA df6800 is freed
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] IKE SA delete called for p1 sa 3315816 (ref cnt 1) local:LOCAL_PUBLIC_IP, remote:REMOTE_PUBLIC_IP, IKEv1
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] P1 SA 3315816 stop timer. timer duration 30, reason 0.
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] iked_pm_p1_sa_destroy: p1 sa 3315816 (ref cnt 0), waiting_for_del 0x0
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] iked_peer_remove_p1sa_entry: Remove p1 sa 3315816 from peer entry 0xdf7300
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_id_payload: Start, id type = 2
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_id_payload: Start, id type = 2
[Oct 4 10:07:37][LOCAL_PUBLIC_IP <-> REMOTE_PUBLIC_IP] ike_free_sa: Start
on strongswan side :
Oct 4 10:07:54 charon: 12[IKE] <gateway01-dc|8> deleting IKE_SA gateway01-dc[8] between REMOTE_PUBLIC_IP[STRONGSWAN_ID]...LOCAL_PUBLIC_IP[SRX_ID]
Oct 4 10:07:54 vpn: - gateway01 192.168.100.0/22 == LOCAL_PUBLIC_IP -- REMOTE_PUBLIC_IP == 10.10.0.0/16
and my configuation :
traceoptions {
file ike-trace;
flag all;
}
proposal IKE-PROPOSAL {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy IKE-POLICY {
proposals IKE-PROPOSAL;
pre-shared-key ascii-text "PASSWORD_HASH"; ## SECRET-DATA
}
gateway VPN-GATEWAY {
ike-policy IKE-POLICY;
address REMOTE_PUBLIC_IP;
nat-keepalive 10;
local-identity hostname SRX_ID;
remote-identity hostname STRONGSWAN_ID;
external-interface ge-0/0/0.0;
}
> show configuration security ipsec
proposal IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
}
policy IPSEC-POLICY {
proposals IPSEC-PROPOSAL;
}
vpn IPSEC-VPN {
ike {
gateway VPN-GATEWAY;
ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;
}
any help would be greatly appreciated
Thanks !