I have a VPN between one server (Debian 10, Strongswan 5.7.2) and a partner server (Stormshield SN510). All run fine, my others servers can reach the partner one on HTTPS via the VPN.
But IKE SAs stay actives, until I have 70 of them and the partner VPN endpoint have problems to handle them.
For example, a small subset (I removed every IP on purpose)
root@ipsec1:/etc# sudo swanctl -l
partner: #1837, ESTABLISHED, IKEv2
established 669s ago, reauth in 19183s
partner-phase2: #2629, reqid 26, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 669s ago, rekeying in 1990s, expires in 2931s
in cd63b8c2, 0 bytes, 0 packets
out cacc8158, 0 bytes, 0 packets
partner-phase2: #2630, reqid 26, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 669s ago, rekeying in 2087s, expires in 2931s
in c859fcff, 0 bytes, 0 packets
out c2e8b52a, 0 bytes, 0 packets
partner-phase2: #2631, reqid 26, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 669s ago, rekeying in 1853s, expires in 2932s
in cb8845a0, 0 bytes, 0 packets
out c3507f7a, 0 bytes, 0 packets
partner-phase2: #2632, reqid 26, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 668s ago, rekeying in 2188s, expires in 2932s
in c281ec0f, 0 bytes, 0 packets
out c290fff2, 0 bytes, 0 packets
partner-phase2: #2633, reqid 26, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 668s ago, rekeying in 1913s, expires in 2932s
in c73a42eb, 0 bytes, 0 packets
out ca21c339, 0 bytes, 0 packets
Here is the configuration file
conn partner
auto=start
authby=secret
keyexchange=ikev2
ike=aes256-sha2_256-modp3072
left=xx.xx.xx.xx
leftid=xx.xx.xx.xx
right=xx.xx.xx.xx
rightid=xx.xx.xx.xx
ikelifetime=21600s
aggressive=no
dpdtimeout=120s
dpddelay=30s
dpdaction=restart
conn partner-phase2
also=partner
type=tunnel
esp=aes256-sha2_256-modp3072
compress=no
leftsubnet=xx.xx.xx.xx/32,xx.xx.xx.xx/32,xx.xx.xx.xx/32
rightsubnet=xx.xx.xx.xx/24
lifetime=3600s
Extract from charon.log
[2021-11-25 10:22:57] 06[IKE] <partner|1837> activating CHILD_REKEY task
[2021-11-25 10:22:57] 06[IKE] <partner|1837> establishing CHILD_SA partner-phase2{2675} reqid 26
[2021-11-25 10:22:57] 06[ENC] <partner|1837> generating CREATE_CHILD_SA request 80 [ N(REKEY_SA) SA No KE TSi TSr ]
[2021-11-25 10:22:57] 06[NET] <partner|1837> sending packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[4500] (736 bytes)
[2021-11-25 10:22:58] 16[NET] <partner|1837> received packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[4500] (208 bytes)
[2021-11-25 10:22:58] 16[ENC] <partner|1837> parsed CREATE_CHILD_SA response 80 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
[2021-11-25 10:22:58] 16[IKE] <partner|1837> received ESP_TFC_PADDING_NOT_SUPPORTED notify
[2021-11-25 10:22:58] 16[IKE] <partner|1837> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
[2021-11-25 10:22:58] 16[CFG] <partner|1837> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
[2021-11-25 10:22:58] 16[IKE] <partner|1837> ignoring KE exchange, agreed on a non-PFS proposal
[2021-11-25 10:22:58] 16[IKE] <partner|1837> inbound CHILD_SA partner-phase2{2675} established with SPIs cede52fe_i c22f460a_o and TS xx.xx.xx.xx/32 === xx.xx.xx.xx/24
[2021-11-25 10:22:58] 16[IKE] <partner|1837> outbound CHILD_SA partner-phase2{2675} established with SPIs cede52fe_i c22f460a_o and TS xx.xx.xx.xx/32 === xx.xx.xx.xx/24
[2021-11-25 10:22:58] 16[IKE] <partner|1837> reinitiating already active tasks
[2021-11-25 10:22:58] 16[IKE] <partner|1837> CHILD_REKEY task
[2021-11-25 10:22:58] 16[IKE] <partner|1837> closing CHILD_SA partner-phase2{2641} with SPIs c48f9704_i (0 bytes) c8d17eb6_o (0 bytes) and TS xx.xx.xx.xx/32 === xx.xx.xx.xx/24
[2021-11-25 10:22:58] 16[IKE] <partner|1837> sending DELETE for ESP CHILD_SA with SPI c48f9704
[2021-11-25 10:22:58] 16[ENC] <partner|1837> generating INFORMATIONAL request 81 [ D ]
[2021-11-25 10:22:58] 16[NET] <partner|1837> sending packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[4500] (80 bytes)
[2021-11-25 10:22:58] 07[NET] <partner|1837> received packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[4500] (80 bytes)
[2021-11-25 10:22:58] 07[ENC] <partner|1837> parsed INFORMATIONAL response 81 [ D ]
[2021-11-25 10:22:58] 07[IKE] <partner|1837> received DELETE for ESP CHILD_SA with SPI c8d17eb6
[2021-11-25 10:22:58] 07[IKE] <partner|1837> CHILD_SA closed
[2021-11-25 10:22:58] 07[IKE] <partner|1837> activating new tasks
[2021-11-25 10:22:58] 07[IKE] <partner|1837> nothing to initiate
0 Answers