I have the following certificate-based config for Windows 7 to Strongswan 5.2.2 in a remote-access setup:
Code:
conn USB
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=8s
dpdtimeout=80s
rekey=no
margintime=0m
rekeyfuzz=0%
ikelifetime=8h
lifetime=1h
auto=add
leftauth=pubkey
#rightauth=eap-mschapv2
rightauth=pubkey
leftcert=/config/auth/certs/Gateway.RemoteAccess.crt.der
left=%any
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid="C=US, ST=state, CN=Gateway"
right=%any
rightca=%same
rightsourceip=192.168.252.8/30
rightid="C=US, ST=state, CN=Win7"
rightdns=172.16.16.2
eap_identity=%any
I can successfully connect using the built-in Win7 VPN client. However, immediately after Windows initiates a re-key, the connection is randomly deleted!!
Here is the output of "swanctl --log". Of course, it is nearly useless:
Code:
12[NET] received packet: from 68.52.125.y[4500] to 76.221.222.x[4500] (568 bytes)
12[ENC] parsed CREATE_CHILD_SA request 14 [ SA KE No ]
12[IKE] 68.52.125.y is initiating an IKE_SA
12[ENC] generating CREATE_CHILD_SA response 14 [ SA No KE ]
12[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (312 bytes)
07[NET] received packet: from 68.52.125.y[4500] to 76.221.222.x[4500] (88 bytes)
07[ENC] parsed INFORMATIONAL request 15 [ D ]
07[IKE] IKE_SA USB[18] rekeyed between 76.221.222.x[C=US, ST=state, CN=Gateway]...68.52.125.y[C=US, ST=state, CN=Win7]
07[IKE] received DELETE for IKE_SA USB[14]
07[IKE] deleting IKE_SA USB[14] between 76.221.222.x[C=US, ST=state, CN=Gateway]...68.52.125.y[C=US, ST=state, CN=Win7]
07[IKE] IKE_SA deleted
07[ENC] generating INFORMATIONAL response 15 [ ]
07[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (88 bytes)
16[IKE] sending DPD request
16[ENC] generating INFORMATIONAL request 0 [ ]
16[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (76 bytes)
13[IKE] retransmit 1 of request with message ID 0
13[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (76 bytes)
12[IKE] retransmit 2 of request with message ID 0
12[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (76 bytes)
16[IKE] retransmit 3 of request with message ID 0
16[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (76 bytes)
05[IKE] retransmit 4 of request with message ID 0
05[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (76 bytes)
10[IKE] retransmit 5 of request with message ID 0
10[NET] sending packet: from 76.221.222.x[4500] to 68.52.125.y[4500] (76 bytes)
After the deletion, the Win7 client still thinks it is connected, but of course no traffic flows, and after the DPD interval expires Windows deletes the connection on its end. There is no log of any "Rasman" evnts in the Windows event viewer.
*sigh* I hate Strongswan..... so any idea why it is deleting the connection?