Continuous initiating IKE_SA

ale · May 11, 2020, 12:51pm

Hello,
We are having some issues with an IPSec VPN between vyos and azure.
While the VPN is still up, vyos is initiating a lot (every 2/3 minutes) of IKE_SA as shown in those logs :

Line 983704: May 11 13:59:58 rvpn01g charon: 12[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 983704: May 11 13:59:58 rvpn01g charon: 12[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 983705: May 11 13:59:58 rvpn01g charon: 12[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 983705: May 11 13:59:58 rvpn01g charon: 12[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 983707: May 11 13:59:58 rvpn01g charon: 12[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 983811: May 11 14:00:02 rvpn01g charon: 06[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 984017: May 11 14:00:09 rvpn01g charon: 15[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 984223: May 11 14:00:22 rvpn01g charon: 10[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 984735: May 11 14:00:46 rvpn01g charon: 14[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 985553: May 11 14:01:28 rvpn01g charon: 08[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 987086: May 11 14:02:43 rvpn01g charon: 05[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 987086: May 11 14:02:43 rvpn01g charon: 05[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 987087: May 11 14:02:43 rvpn01g charon: 05[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 987087: May 11 14:02:43 rvpn01g charon: 05[IKE] initiating IKE_SA peer-Azure_IP-tunnel-100[1] to Azure_IP
Line 987089: May 11 14:02:43 rvpn01g charon: 05[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 987193: May 11 14:02:47 rvpn01g charon: 16[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 987399: May 11 14:02:54 rvpn01g charon: 12[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 987605: May 11 14:03:07 rvpn01g charon: 06[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]
Line 988117: May 11 14:03:31 rvpn01g charon: 15[NET] sending packet: from Our_IP[4500] to Azure_IP[4500]

Also we are having frequent (around 1 per day for few minutes) disconnection with that VPN.

vyos version :
show version
Version: VyOS 1.1.8
Description: VyOS 1.1.8 (helium)
Copyright: 2017 VyOS maintainers and contributors
Built by: maintainers@vyos.net
Built on: Sat Nov 11 13:44:36 UTC 2017
Build ID: 1711111344-b483efc
System type: x86 64-bit
Boot via: disk
HW model: IBM System x3550 M4: -[7914MTP]-

And VPN conf :

esp-group ESP-Azure {
    compression disable
    lifetime 3600
    mode tunnel
    pfs disable
    proposal 1 {
        encryption aes256
        hash sha1
    }
}


ike-group IKE-Azure {
    ikev2-reauth no
    key-exchange ikev2
    lifetime 28800
    proposal 1 {
        dh-group 2
        encryption aes256
        hash sha1
    }
}


site-to-site {
    peer Azure_IP {
        authentication {
            id Our_IP
            mode pre-shared-secret
            pre-shared-secret ****************
        }
        connection-type initiate
        default-esp-group ESP-Azure
        ike-group IKE-Azure
        ikev2-reauth inherit
        local-address Our_IP
        tunnel 100 {
            allow-nat-networks disable
            allow-public-networks disable
            local {
                prefix 0.0.0.0/0
            }
            protocol all
            remote {
                prefix 10.192.0.0/13
            }
        }
    }

Any idea of what could cause this issue ?
Thanks

s.lorente · May 11, 2020, 1:43pm

Hi ale,

Can you try enabling pfs (Perfect Forward Secrecy) and having the same values on both sides?