IPSec connection goes into create delete loop after ipsec params update

pritamkharat · April 16, 2018, 6:00am

Hi All,

I am observing a strange behaviour where my ipsec connection goes into continues loop of create and delete after updating some of the ipsec params like ike proposal dh-group/auth algo or any other ipsec param update.
My topology is simple 1-1 vpn without any nat-gw in between. I am using VTI for route learning. After update I am doing ‘restart vpn’ on both vpn nodes.

VPN-Node1 Configuration

set interfaces vti vti0 address '100.64.0.1/30'
set vpn ipsec auto-update '60'
set vpn ipsec esp-group 192.168.6.173 lifetime '43200'
set vpn ipsec esp-group 192.168.6.173 pfs 'dh-group2'
set vpn ipsec esp-group 192.168.6.173 proposal 1 encryption 'aes128'
set vpn ipsec esp-group 192.168.6.173 proposal 1 hash 'sha1'
set vpn ipsec ike-group 192.168.6.173 dead-peer-detection action 'restart'
set vpn ipsec ike-group 192.168.6.173 dead-peer-detection interval '20'
set vpn ipsec ike-group 192.168.6.173 dead-peer-detection timeout '120'
set vpn ipsec ike-group 192.168.6.173 key-exchange 'ikev2'
set vpn ipsec ike-group 192.168.6.173 lifetime '86400'
set vpn ipsec ike-group 192.168.6.173 proposal 1 dh-group '2'
set vpn ipsec ike-group 192.168.6.173 proposal 1 encryption 'aes128'
set vpn ipsec ike-group 192.168.6.173 proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 192.168.6.173 authentication id '100.64.0.1'
set vpn ipsec site-to-site peer 192.168.6.173 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.6.173 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.168.6.173 authentication remote-id '100.64.0.2'
set vpn ipsec site-to-site peer 192.168.6.173 default-esp-group '192.168.6.173'
set vpn ipsec site-to-site peer 192.168.6.173 ike-group '192.168.6.173'
set vpn ipsec site-to-site peer 192.168.6.173 local-address '192.168.6.171'
set vpn ipsec site-to-site peer 192.168.6.173 vti bind 'vti0'
set vpn ipsec site-to-site peer 192.168.6.173 vti esp-group '192.168.6.173'

VPN-Node2 Configuration

set interfaces vti vti0 address '100.64.0.2/30'
set vpn ipsec auto-update '60'
set vpn ipsec esp-group 192.168.6.171 lifetime '43200'
set vpn ipsec esp-group 192.168.6.171 pfs 'dh-group2'
set vpn ipsec esp-group 192.168.6.171 proposal 1 encryption 'aes128'
set vpn ipsec esp-group 192.168.6.171 proposal 1 hash 'sha1'
set vpn ipsec ike-group 192.168.6.171 dead-peer-detection action 'restart'
set vpn ipsec ike-group 192.168.6.171 dead-peer-detection interval '30'
set vpn ipsec ike-group 192.168.6.171 dead-peer-detection timeout '120'
set vpn ipsec ike-group 192.168.6.171 key-exchange 'ikev2'
set vpn ipsec ike-group 192.168.6.171 lifetime '86400'
set vpn ipsec ike-group 192.168.6.171 proposal 1 dh-group '2'
set vpn ipsec ike-group 192.168.6.171 proposal 1 encryption 'aes128'
set vpn ipsec ike-group 192.168.6.171 proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 192.168.6.171 authentication id '100.64.0.2'
set vpn ipsec site-to-site peer 192.168.6.171 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.6.171 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.168.6.171 authentication remote-id '100.64.0.1'
set vpn ipsec site-to-site peer 192.168.6.171 default-esp-group '192.168.6.171'
set vpn ipsec site-to-site peer 192.168.6.171 ike-group '192.168.6.171'
set vpn ipsec site-to-site peer 192.168.6.171 local-address '192.168.6.173'
set vpn ipsec site-to-site peer 192.168.6.171 vti bind 'vti0'
set vpn ipsec site-to-site peer 192.168.6.171 vti esp-group '192.168.6.171'

After Update Charon logs

VPN-Node1

Apr 16 05:50:13 12[NET] <peer-192.168.6.173-tunnel-vti|2> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:13 12[ENC] <peer-192.168.6.173-tunnel-vti|2> parsed INFORMATIONAL request 1 [ D ]
Apr 16 05:50:13 12[IKE] <peer-192.168.6.173-tunnel-vti|2> received DELETE for IKE_SA peer-192.168.6.173-tunnel-vti[2]
Apr 16 05:50:13 12[IKE] <peer-192.168.6.173-tunnel-vti|2> deleting IKE_SA peer-192.168.6.173-tunnel-vti[2] between 192.168.6.171[100.64.0.1]...192.168.6.173[100.64.0.2]
Apr 16 05:50:13 12[IKE] <peer-192.168.6.173-tunnel-vti|2> restarting CHILD_SA peer-192.168.6.173-tunnel-vti
Apr 16 05:50:13 12[IKE] <peer-192.168.6.173-tunnel-vti|2> initiating IKE_SA peer-192.168.6.173-tunnel-vti[5] to 192.168.6.173
Apr 16 05:50:13 12[ENC] <peer-192.168.6.173-tunnel-vti|2> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Apr 16 05:50:13 12[NET] <peer-192.168.6.173-tunnel-vti|2> sending packet: from 192.168.6.171[500] to 192.168.6.173[500] (320 bytes)
Apr 16 05:50:13 12[IKE] <peer-192.168.6.173-tunnel-vti|2> IKE_SA deleted
Apr 16 05:50:13 09[NET] <peer-192.168.6.173-tunnel-vti|5> received packet: from 192.168.6.173[500] to 192.168.6.171[500] (328 bytes)
Apr 16 05:50:13 13[KNL] interface vti0 deactivated
Apr 16 05:50:13 12[ENC] <peer-192.168.6.173-tunnel-vti|2> generating INFORMATIONAL response 1 [ ]
Apr 16 05:50:13 09[ENC] <peer-192.168.6.173-tunnel-vti|5> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 16 05:50:13 12[NET] <peer-192.168.6.173-tunnel-vti|2> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:13 09[IKE] <peer-192.168.6.173-tunnel-vti|5> authentication of '100.64.0.1' (myself) with pre-shared key
Apr 16 05:50:13 09[IKE] <peer-192.168.6.173-tunnel-vti|5> establishing CHILD_SA peer-192.168.6.173-tunnel-vti{2}
Apr 16 05:50:13 09[ENC] <peer-192.168.6.173-tunnel-vti|5> generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 16 05:50:13 09[NET] <peer-192.168.6.173-tunnel-vti|5> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (252 bytes)
Apr 16 05:50:13 04[IKE] <peer-192.168.6.173-tunnel-vti|4> sending address list update using MOBIKE
Apr 16 05:50:13 04[ENC] <peer-192.168.6.173-tunnel-vti|4> generating INFORMATIONAL request 3 [ N(NO_ADD_ADDR) ]
Apr 16 05:50:13 04[NET] <peer-192.168.6.173-tunnel-vti|4> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:13 10[NET] <peer-192.168.6.173-tunnel-vti|4> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:13 09[NET] <peer-192.168.6.173-tunnel-vti|5> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (220 bytes)
Apr 16 05:50:13 10[ENC] <peer-192.168.6.173-tunnel-vti|4> parsed INFORMATIONAL response 3 [ ]
Apr 16 05:50:13 09[ENC] <peer-192.168.6.173-tunnel-vti|5> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 16 05:50:13 09[IKE] <peer-192.168.6.173-tunnel-vti|5> authentication of '100.64.0.2' with pre-shared key successful
Apr 16 05:50:13 09[IKE] <peer-192.168.6.173-tunnel-vti|5> IKE_SA peer-192.168.6.173-tunnel-vti[5] established between 192.168.6.171[100.64.0.1]...192.168.6.173[100.64.0.2]
Apr 16 05:50:13 09[IKE] <peer-192.168.6.173-tunnel-vti|5> scheduling rekeying in 85522s
Apr 16 05:50:13 09[IKE] <peer-192.168.6.173-tunnel-vti|5> maximum IKE_SA lifetime 86062s
Apr 16 05:50:13 09[IKE] <peer-192.168.6.173-tunnel-vti|5> CHILD_SA peer-192.168.6.173-tunnel-vti{5} established with SPIs c60c88db_i c6c6e173_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 16 05:50:13 12[NET] <peer-192.168.6.173-tunnel-vti|4> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:14 07[KNL] interface vti0 activated
Apr 16 05:50:14 09[IKE] <peer-192.168.6.173-tunnel-vti|5> peer supports MOBIKE
Apr 16 05:50:14 12[ENC] <peer-192.168.6.173-tunnel-vti|4> parsed INFORMATIONAL request 1 [ N(ADD_4_ADDR) ]
Apr 16 05:50:14 12[ENC] <peer-192.168.6.173-tunnel-vti|4> generating INFORMATIONAL response 1 [ ]
Apr 16 05:50:14 12[NET] <peer-192.168.6.173-tunnel-vti|4> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:14 15[NET] <peer-192.168.6.173-tunnel-vti|5> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:14 15[ENC] <peer-192.168.6.173-tunnel-vti|5> parsed INFORMATIONAL request 0 [ N(ADD_4_ADDR) ]
Apr 16 05:50:14 15[ENC] <peer-192.168.6.173-tunnel-vti|5> generating INFORMATIONAL response 0 [ ]
Apr 16 05:50:14 15[NET] <peer-192.168.6.173-tunnel-vti|5> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:14 09[IKE] <peer-192.168.6.173-tunnel-vti|4> sending address list update using MOBIKE
Apr 16 05:50:14 09[ENC] <peer-192.168.6.173-tunnel-vti|4> generating INFORMATIONAL request 4 [ N(ADD_4_ADDR) ]
Apr 16 05:50:14 09[NET] <peer-192.168.6.173-tunnel-vti|4> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:14 09[IKE] <peer-192.168.6.173-tunnel-vti|5> sending address list update using MOBIKE
Apr 16 05:50:14 09[ENC] <peer-192.168.6.173-tunnel-vti|5> generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]
Apr 16 05:50:14 09[NET] <peer-192.168.6.173-tunnel-vti|5> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:14 14[NET] <peer-192.168.6.173-tunnel-vti|4> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:14 15[NET] <peer-192.168.6.173-tunnel-vti|5> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:14 14[ENC] <peer-192.168.6.173-tunnel-vti|4> parsed INFORMATIONAL response 4 [ ]
Apr 16 05:50:14 15[ENC] <peer-192.168.6.173-tunnel-vti|5> parsed INFORMATIONAL response 2 [ ]
Apr 16 05:50:23 13[NET] <peer-192.168.6.173-tunnel-vti|4> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:23 13[ENC] <peer-192.168.6.173-tunnel-vti|4> parsed INFORMATIONAL request 2 [ D ]
Apr 16 05:50:23 13[IKE] <peer-192.168.6.173-tunnel-vti|4> received DELETE for IKE_SA peer-192.168.6.173-tunnel-vti[4]
Apr 16 05:50:23 13[IKE] <peer-192.168.6.173-tunnel-vti|4> deleting IKE_SA peer-192.168.6.173-tunnel-vti[4] between 192.168.6.171[100.64.0.1]...192.168.6.173[100.64.0.2]
Apr 16 05:50:23 13[NET] <peer-192.168.6.173-tunnel-vti|4> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:23 13[ENC] <peer-192.168.6.173-tunnel-vti|4> parsed INFORMATIONAL request 2 [ D ]
Apr 16 05:50:23 13[IKE] <peer-192.168.6.173-tunnel-vti|4> received DELETE for IKE_SA peer-192.168.6.173-tunnel-vti[4]
Apr 16 05:50:23 13[IKE] <peer-192.168.6.173-tunnel-vti|4> deleting IKE_SA peer-192.168.6.173-tunnel-vti[4] between 192.168.6.171[100.64.0.1]...192.168.6.173[100.64.0.2]
Apr 16 05:50:23 13[IKE] <peer-192.168.6.173-tunnel-vti|4> restarting CHILD_SA peer-192.168.6.173-tunnel-vti
Apr 16 05:50:23 13[IKE] <peer-192.168.6.173-tunnel-vti|4> initiating IKE_SA peer-192.168.6.173-tunnel-vti[6] to 192.168.6.173
Apr 16 05:50:23 13[ENC] <peer-192.168.6.173-tunnel-vti|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Apr 16 05:50:23 13[NET] <peer-192.168.6.173-tunnel-vti|4> sending packet: from 192.168.6.171[500] to 192.168.6.173[500] (320 bytes)
Apr 16 05:50:23 13[IKE] <peer-192.168.6.173-tunnel-vti|4> IKE_SA deleted
Apr 16 05:50:23 14[NET] <peer-192.168.6.173-tunnel-vti|6> received packet: from 192.168.6.173[500] to 192.168.6.171[500] (328 bytes)
Apr 16 05:50:23 15[KNL] interface vti0 deactivated
Apr 16 05:50:23 13[ENC] <peer-192.168.6.173-tunnel-vti|4> generating INFORMATIONAL response 2 [ ]
Apr 16 05:50:23 13[NET] <peer-192.168.6.173-tunnel-vti|4> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:23 14[ENC] <peer-192.168.6.173-tunnel-vti|6> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 16 05:50:23 14[IKE] <peer-192.168.6.173-tunnel-vti|6> authentication of '100.64.0.1' (myself) with pre-shared key
Apr 16 05:50:23 14[IKE] <peer-192.168.6.173-tunnel-vti|6> establishing CHILD_SA peer-192.168.6.173-tunnel-vti{2}
Apr 16 05:50:23 14[ENC] <peer-192.168.6.173-tunnel-vti|6> generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 16 05:50:23 14[NET] <peer-192.168.6.173-tunnel-vti|6> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (252 bytes)
Apr 16 05:50:24 06[IKE] <peer-192.168.6.173-tunnel-vti|5> sending address list update using MOBIKE
Apr 16 05:50:24 06[ENC] <peer-192.168.6.173-tunnel-vti|5> generating INFORMATIONAL request 3 [ N(NO_ADD_ADDR) ]
Apr 16 05:50:24 06[NET] <peer-192.168.6.173-tunnel-vti|5> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 13[NET] <peer-192.168.6.173-tunnel-vti|5> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 13[ENC] <peer-192.168.6.173-tunnel-vti|5> parsed INFORMATIONAL response 3 [ ]
Apr 16 05:50:24 14[NET] <peer-192.168.6.173-tunnel-vti|6> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (220 bytes)
Apr 16 05:50:24 14[ENC] <peer-192.168.6.173-tunnel-vti|6> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 16 05:50:24 14[IKE] <peer-192.168.6.173-tunnel-vti|6> authentication of '100.64.0.2' with pre-shared key successful
Apr 16 05:50:24 14[IKE] <peer-192.168.6.173-tunnel-vti|6> IKE_SA peer-192.168.6.173-tunnel-vti[6] established between 192.168.6.171[100.64.0.1]...192.168.6.173[100.64.0.2]
Apr 16 05:50:24 14[IKE] <peer-192.168.6.173-tunnel-vti|6> scheduling rekeying in 85750s
Apr 16 05:50:24 14[IKE] <peer-192.168.6.173-tunnel-vti|6> maximum IKE_SA lifetime 86290s
Apr 16 05:50:24 14[IKE] <peer-192.168.6.173-tunnel-vti|6> CHILD_SA peer-192.168.6.173-tunnel-vti{6} established with SPIs c347a370_i c3497926_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 16 05:50:24 10[NET] <peer-192.168.6.173-tunnel-vti|5> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 13[KNL] interface vti0 activated
Apr 16 05:50:24 14[IKE] <peer-192.168.6.173-tunnel-vti|6> peer supports MOBIKE
Apr 16 05:50:24 10[ENC] <peer-192.168.6.173-tunnel-vti|5> parsed INFORMATIONAL request 1 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 10[ENC] <peer-192.168.6.173-tunnel-vti|5> generating INFORMATIONAL response 1 [ ]
Apr 16 05:50:24 09[NET] <peer-192.168.6.173-tunnel-vti|6> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 10[NET] <peer-192.168.6.173-tunnel-vti|5> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 09[ENC] <peer-192.168.6.173-tunnel-vti|6> parsed INFORMATIONAL request 0 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 09[ENC] <peer-192.168.6.173-tunnel-vti|6> generating INFORMATIONAL response 0 [ ]
Apr 16 05:50:24 09[NET] <peer-192.168.6.173-tunnel-vti|6> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 05[IKE] <peer-192.168.6.173-tunnel-vti|5> sending address list update using MOBIKE
Apr 16 05:50:24 05[ENC] <peer-192.168.6.173-tunnel-vti|5> generating INFORMATIONAL request 4 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 05[NET] <peer-192.168.6.173-tunnel-vti|5> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 05[IKE] <peer-192.168.6.173-tunnel-vti|6> sending address list update using MOBIKE
Apr 16 05:50:24 05[ENC] <peer-192.168.6.173-tunnel-vti|6> generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 05[NET] <peer-192.168.6.173-tunnel-vti|6> sending packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 11[NET] <peer-192.168.6.173-tunnel-vti|5> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 04[NET] <peer-192.168.6.173-tunnel-vti|6> received packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 11[ENC] <peer-192.168.6.173-tunnel-vti|5> parsed INFORMATIONAL response 4 [ ]
Apr 16 05:50:24 04[ENC] <peer-192.168.6.173-tunnel-vti|6> parsed INFORMATIONAL response 2 [ ]

VPN-Node2

Apr 16 05:50:13 08[IKE] <peer-192.168.6.171-tunnel-vti|2> deleting IKE_SA peer-192.168.6.171-tunnel-vti[2] between 192.168.6.173[100.64.0.2]...192.168.6.171[100.64.0.1]
Apr 16 05:50:13 08[IKE] <peer-192.168.6.171-tunnel-vti|2> sending DELETE for IKE_SA peer-192.168.6.171-tunnel-vti[2]
Apr 16 05:50:13 08[ENC] <peer-192.168.6.171-tunnel-vti|2> generating INFORMATIONAL request 1 [ D ]
Apr 16 05:50:13 08[NET] <peer-192.168.6.171-tunnel-vti|2> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:13 12[NET] <4> received packet: from 192.168.6.171[500] to 192.168.6.173[500] (320 bytes)
Apr 16 05:50:13 12[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Apr 16 05:50:13 12[IKE] <4> 192.168.6.171 is initiating an IKE_SA
Apr 16 05:50:13 12[ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 16 05:50:13 12[NET] <4> sending packet: from 192.168.6.173[500] to 192.168.6.171[500] (328 bytes)
Apr 16 05:50:13 06[NET] <peer-192.168.6.171-tunnel-vti|2> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:13 06[ENC] <peer-192.168.6.171-tunnel-vti|2> parsed INFORMATIONAL response 1 [ ]
Apr 16 05:50:13 06[IKE] <peer-192.168.6.171-tunnel-vti|2> IKE_SA deleted
Apr 16 05:50:13 13[NET] <4> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (252 bytes)
Apr 16 05:50:13 16[KNL] interface vti0 deactivated
Apr 16 05:50:13 13[ENC] <4> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 16 05:50:13 13[CFG] <4> looking for peer configs matching 192.168.6.173[100.64.0.2]...192.168.6.171[100.64.0.1]
Apr 16 05:50:13 13[CFG] <peer-192.168.6.171-tunnel-vti|4> selected peer config 'peer-192.168.6.171-tunnel-vti'
Apr 16 05:50:13 13[IKE] <peer-192.168.6.171-tunnel-vti|4> authentication of '100.64.0.1' with pre-shared key successful
Apr 16 05:50:13 13[IKE] <peer-192.168.6.171-tunnel-vti|4> peer supports MOBIKE
Apr 16 05:50:13 13[IKE] <peer-192.168.6.171-tunnel-vti|4> authentication of '100.64.0.2' (myself) with pre-shared key
Apr 16 05:50:13 13[IKE] <peer-192.168.6.171-tunnel-vti|4> IKE_SA peer-192.168.6.171-tunnel-vti[4] established between 192.168.6.173[100.64.0.2]...192.168.6.171[100.64.0.1]
Apr 16 05:50:13 13[IKE] <peer-192.168.6.171-tunnel-vti|4> scheduling rekeying in 85358s
Apr 16 05:50:13 13[IKE] <peer-192.168.6.171-tunnel-vti|4> maximum IKE_SA lifetime 85898s
Apr 16 05:50:13 13[IKE] <peer-192.168.6.171-tunnel-vti|4> CHILD_SA peer-192.168.6.171-tunnel-vti{4} established with SPIs c6c6e173_i c60c88db_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 16 05:50:13 06[NET] <peer-192.168.6.171-tunnel-vti|3> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:13 14[KNL] interface vti0 activated
Apr 16 05:50:13 13[ENC] <peer-192.168.6.171-tunnel-vti|4> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 16 05:50:13 13[NET] <peer-192.168.6.171-tunnel-vti|4> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (220 bytes)
Apr 16 05:50:13 06[ENC] <peer-192.168.6.171-tunnel-vti|3> parsed INFORMATIONAL request 3 [ N(NO_ADD_ADDR) ]
Apr 16 05:50:13 06[ENC] <peer-192.168.6.171-tunnel-vti|3> generating INFORMATIONAL response 3 [ ]
Apr 16 05:50:13 06[NET] <peer-192.168.6.171-tunnel-vti|3> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:13 14[IKE] <peer-192.168.6.171-tunnel-vti|3> sending address list update using MOBIKE
Apr 16 05:50:13 14[ENC] <peer-192.168.6.171-tunnel-vti|3> generating INFORMATIONAL request 1 [ N(ADD_4_ADDR) ]
Apr 16 05:50:13 14[NET] <peer-192.168.6.171-tunnel-vti|3> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:13 14[IKE] <peer-192.168.6.171-tunnel-vti|4> sending address list update using MOBIKE
Apr 16 05:50:13 14[ENC] <peer-192.168.6.171-tunnel-vti|4> generating INFORMATIONAL request 0 [ N(ADD_4_ADDR) ]
Apr 16 05:50:13 14[NET] <peer-192.168.6.171-tunnel-vti|4> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:13 07[NET] <peer-192.168.6.171-tunnel-vti|3> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:13 07[ENC] <peer-192.168.6.171-tunnel-vti|3> parsed INFORMATIONAL response 1 [ ]
Apr 16 05:50:13 11[NET] <peer-192.168.6.171-tunnel-vti|4> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:13 11[ENC] <peer-192.168.6.171-tunnel-vti|4> parsed INFORMATIONAL response 0 [ ]
Apr 16 05:50:14 12[NET] <peer-192.168.6.171-tunnel-vti|3> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:14 12[ENC] <peer-192.168.6.171-tunnel-vti|3> parsed INFORMATIONAL request 4 [ N(ADD_4_ADDR) ]
Apr 16 05:50:14 12[ENC] <peer-192.168.6.171-tunnel-vti|3> generating INFORMATIONAL response 4 [ ]
Apr 16 05:50:14 12[NET] <peer-192.168.6.171-tunnel-vti|3> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:14 12[NET] <peer-192.168.6.171-tunnel-vti|4> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:14 12[ENC] <peer-192.168.6.171-tunnel-vti|4> parsed INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]
Apr 16 05:50:14 12[ENC] <peer-192.168.6.171-tunnel-vti|4> generating INFORMATIONAL response 2 [ ]
Apr 16 05:50:14 12[NET] <peer-192.168.6.171-tunnel-vti|4> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:23 10[IKE] <peer-192.168.6.171-tunnel-vti|3> deleting IKE_SA peer-192.168.6.171-tunnel-vti[3] between 192.168.6.173[100.64.0.2]...192.168.6.171[100.64.0.1]
Apr 16 05:50:23 10[IKE] <peer-192.168.6.171-tunnel-vti|3> sending DELETE for IKE_SA peer-192.168.6.171-tunnel-vti[3]
Apr 16 05:50:23 10[ENC] <peer-192.168.6.171-tunnel-vti|3> generating INFORMATIONAL request 2 [ D ]
Apr 16 05:50:23 10[NET] <peer-192.168.6.171-tunnel-vti|3> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:23 13[NET] <5> received packet: from 192.168.6.171[500] to 192.168.6.173[500] (320 bytes)
Apr 16 05:50:23 13[NET] <5> received packet: from 192.168.6.171[500] to 192.168.6.173[500] (320 bytes)
Apr 16 05:50:23 13[ENC] <5> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Apr 16 05:50:23 13[IKE] <5> 192.168.6.171 is initiating an IKE_SA
Apr 16 05:50:23 13[ENC] <5> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 16 05:50:23 13[NET] <5> sending packet: from 192.168.6.173[500] to 192.168.6.171[500] (328 bytes)
Apr 16 05:50:23 15[NET] <peer-192.168.6.171-tunnel-vti|3> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:23 15[ENC] <peer-192.168.6.171-tunnel-vti|3> parsed INFORMATIONAL response 2 [ ]
Apr 16 05:50:23 15[IKE] <peer-192.168.6.171-tunnel-vti|3> IKE_SA deleted
Apr 16 05:50:23 08[NET] <5> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (252 bytes)
Apr 16 05:50:23 13[KNL] interface vti0 deactivated
Apr 16 05:50:23 08[ENC] <5> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 16 05:50:23 08[CFG] <5> looking for peer configs matching 192.168.6.173[100.64.0.2]...192.168.6.171[100.64.0.1]
Apr 16 05:50:23 08[CFG] <peer-192.168.6.171-tunnel-vti|5> selected peer config 'peer-192.168.6.171-tunnel-vti'
Apr 16 05:50:23 08[IKE] <peer-192.168.6.171-tunnel-vti|5> authentication of '100.64.0.1' with pre-shared key successful
Apr 16 05:50:23 08[IKE] <peer-192.168.6.171-tunnel-vti|5> peer supports MOBIKE
Apr 16 05:50:23 08[IKE] <peer-192.168.6.171-tunnel-vti|5> authentication of '100.64.0.2' (myself) with pre-shared key
Apr 16 05:50:23 08[IKE] <peer-192.168.6.171-tunnel-vti|5> IKE_SA peer-192.168.6.171-tunnel-vti[5] established between 192.168.6.173[100.64.0.2]...192.168.6.171[100.64.0.1]
Apr 16 05:50:23 08[IKE] <peer-192.168.6.171-tunnel-vti|5> scheduling rekeying in 85822s
Apr 16 05:50:23 08[IKE] <peer-192.168.6.171-tunnel-vti|5> maximum IKE_SA lifetime 86362s
Apr 16 05:50:23 08[IKE] <peer-192.168.6.171-tunnel-vti|5> CHILD_SA peer-192.168.6.171-tunnel-vti{5} established with SPIs c3497926_i c347a370_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 16 05:50:24 15[NET] <peer-192.168.6.171-tunnel-vti|4> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 11[KNL] interface vti0 activated
Apr 16 05:50:24 15[ENC] <peer-192.168.6.171-tunnel-vti|4> parsed INFORMATIONAL request 3 [ N(NO_ADD_ADDR) ]
Apr 16 05:50:24 08[ENC] <peer-192.168.6.171-tunnel-vti|5> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 16 05:50:24 15[ENC] <peer-192.168.6.171-tunnel-vti|4> generating INFORMATIONAL response 3 [ ]
Apr 16 05:50:24 15[NET] <peer-192.168.6.171-tunnel-vti|4> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 08[NET] <peer-192.168.6.171-tunnel-vti|5> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (220 bytes)
Apr 16 05:50:24 11[IKE] <peer-192.168.6.171-tunnel-vti|4> sending address list update using MOBIKE
Apr 16 05:50:24 11[ENC] <peer-192.168.6.171-tunnel-vti|4> generating INFORMATIONAL request 1 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 11[NET] <peer-192.168.6.171-tunnel-vti|4> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 11[IKE] <peer-192.168.6.171-tunnel-vti|5> sending address list update using MOBIKE
Apr 16 05:50:24 11[ENC] <peer-192.168.6.171-tunnel-vti|5> generating INFORMATIONAL request 0 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 11[NET] <peer-192.168.6.171-tunnel-vti|5> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 13[NET] <peer-192.168.6.171-tunnel-vti|5> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 13[ENC] <peer-192.168.6.171-tunnel-vti|5> parsed INFORMATIONAL response 0 [ ]
Apr 16 05:50:24 08[NET] <peer-192.168.6.171-tunnel-vti|4> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 08[ENC] <peer-192.168.6.171-tunnel-vti|4> parsed INFORMATIONAL response 1 [ ]
Apr 16 05:50:24 06[NET] <peer-192.168.6.171-tunnel-vti|4> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 06[ENC] <peer-192.168.6.171-tunnel-vti|4> parsed INFORMATIONAL request 4 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 06[ENC] <peer-192.168.6.171-tunnel-vti|4> generating INFORMATIONAL response 4 [ ]
Apr 16 05:50:24 06[NET] <peer-192.168.6.171-tunnel-vti|4> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)
Apr 16 05:50:24 06[NET] <peer-192.168.6.171-tunnel-vti|5> received packet: from 192.168.6.171[4500] to 192.168.6.173[4500] (76 bytes)
Apr 16 05:50:24 06[ENC] <peer-192.168.6.171-tunnel-vti|5> parsed INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]
Apr 16 05:50:24 06[ENC] <peer-192.168.6.171-tunnel-vti|5> generating INFORMATIONAL response 2 [ ]
Apr 16 05:50:24 06[NET] <peer-192.168.6.171-tunnel-vti|5> sending packet: from 192.168.6.173[4500] to 192.168.6.171[4500] (76 bytes)

Any clues what am I doing wrong. What is the correct procedure to update ipsec params on vyos ?
Help appreciated.

Thanks and Regards,
Pritam Kharat

pritamkharat · April 17, 2018, 7:05am

I had posted the issue on strongswan forum also. It is more related to strongswan internal configuration.