IPSEC child SA failing on renegotiation

Hi,

Every so ofter I see the IPSEC tunnels drop, the IKE stays up. I see this in the logs.

Apr 26 12:56:16 charon[66609]: 13[ENC] <AWS_DC|1> parsed CREATE_CHILD_SA request 385 [ SA No KE TSi TSr ]
Apr 26 12:56:16 charon[66609]: 13[CFG] <AWS_DC|1> received proposals: ESP:AES_CBC_128/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/MODP_2048/MODP_1024/MODP_1536/MODP_3072/MODP_4096/MODP_6144/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_256/MODP_2048/MODP_1024/MODP_1536/MODP_3072/MODP_4096/MODP_6144/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/NO_EXT_SEQ
Apr 26 12:56:16 charon[66609]: 13[CFG] <AWS_DC|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Apr 26 12:56:16 charon[66609]: 13[IKE] <AWS_DC|1> no acceptable proposal found
Apr 26 12:56:16 charon[66609]: 13[IKE] <AWS_DC|1> failed to establish CHILD_SA, keeping IKE_SA
Apr 26 12:56:16 charon[66609]: 13[ENC] <AWS_DC|1> generating CREATE_CHILD_SA response 385 [ N(NO_PROP) ]

I don’t understand what’s wrong if the proposal works the first time and it works for some of the rekeys. Nothing is changing on the AWS side. We used a strong swan implementation before with the same values that we’re using on vyos, with no drops.

I would suggest you do have a configuration mismatch you just don’t notice immediately.

This link explains how that can be.

Perfect, thanks. I needed a different DH group.