I have become aware of a 30s VPN connectivity gap during Phase2
rekeying between vpnc 0.5.3r512 and a Cisco ASA5515X with 9.1(4).
Here is what happens in detail:
Tunnel will be established:
Feb 13 2014 17:34:40 : %ASA-6-713228: Group = INSTALL, Username = install, IP = 10.5.0.42, Assigned private IP address 10.65.250.1 to remote user
Feb 13 2014 17:34:40 : %ASA-5-713119: Group = INSTALL, Username = install, IP = 10.5.0.42, PHASE 1 COMPLETED
Feb 13 2014 17:34:40 : %ASA-5-713075: Group = INSTALL, Username = install, IP = 10.5.0.42, Overriding Initiator's IPSec rekeying duration from 2147483 to 120 seconds
Feb 13 2014 17:34:40 : %ASA-5-713076: Group = INSTALL, Username = install, IP = 10.5.0.42, Overriding Initiator's IPSec rekeying duration from 0 to 1024 Kbs
Feb 13 2014 17:34:40 : %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x126F81EA) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:34:40 : %ASA-5-713049: Group = INSTALL, Username = install, IP = 10.5.0.42, Security negotiation complete for User (install) Responder, Inbound SPI = 0xd2bc3605, Ou
tbound SPI = 0x126f81ea
Feb 13 2014 17:34:40 : %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0xD2BC3605) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:34:40 : %ASA-5-713120: Group = INSTALL, Username = install, IP = 10.5.0.42, PHASE 2 COMPLETED (msgid=254e55e0)
Everything is OK for vpnc too:
S7.9 main loop (receive and transmit ipsec packets)
[2014-02-13 17:34:20]
remote -> local spi: 0x126f81ea
local -> remote spi: 0xd2bc3605
VPN connection works like a charm. Then the first Phase2 rekeying
comes. The ASA generate two new SPI but still uses the two old ones:
Feb 13 2014 17:36:34 : %ASA-5-713041: Group = INSTALL, Username = install, IP = 10.5.0.42, IKE Initiator: Rekeying Phase 2, Intf tvpnout, IKE Peer 10.5.0.42 local Proxy Address 0.0.0.0, remote Proxy Address 10.65.250.1, Crypto map (SYSTEM_DEFAULT_CRYPTO_MAP)
Feb 13 2014 17:36:34 : %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x607C17E7) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:36:34 : %ASA-5-713049: Group = INSTALL, Username = install, IP = 10.5.0.42, Security negotiation complete for User (install) Responder, Inbound SPI = 0x91103994, Outbound SPI = 0x607c17e7
Feb 13 2014 17:36:34 : %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x91103994) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:36:34 : %ASA-5-713120: Group = INSTALL, Username = install, IP = 10.5.0.42, PHASE 2 COMPLETED (msgid=63ad3117)
The vpnc is not aware of this behavior and complains loudly for
every incoming packet:
unknown spi 0x126f81ea from peer
At this time the VPN connection is broken. After 30s the ASA clears
the two old SPI:
Feb 13 2014 17:37:04 : %ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x126F81EA) between 10.65.224.3 and 10.5.0.42 (user= install) has been deleted.
Feb 13 2014 17:37:04 : %ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0xD2BC3605) between 10.5.0.42 and 10.65.224.3 (user= install) has been deleted.
The vpnc noticed this. Due to it have already cleared the old SPI, it
do nothing:
got isakmp delete with bogus spi (expected -1808199535, received 210), ignoring...
The ASA sends now ESP with new SPI and everything works well again
until the next Phase2 Rekeying.
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
rekeying between vpnc 0.5.3r512 and a Cisco ASA5515X with 9.1(4).
Here is what happens in detail:
Tunnel will be established:
Feb 13 2014 17:34:40 : %ASA-6-713228: Group = INSTALL, Username = install, IP = 10.5.0.42, Assigned private IP address 10.65.250.1 to remote user
Feb 13 2014 17:34:40 : %ASA-5-713119: Group = INSTALL, Username = install, IP = 10.5.0.42, PHASE 1 COMPLETED
Feb 13 2014 17:34:40 : %ASA-5-713075: Group = INSTALL, Username = install, IP = 10.5.0.42, Overriding Initiator's IPSec rekeying duration from 2147483 to 120 seconds
Feb 13 2014 17:34:40 : %ASA-5-713076: Group = INSTALL, Username = install, IP = 10.5.0.42, Overriding Initiator's IPSec rekeying duration from 0 to 1024 Kbs
Feb 13 2014 17:34:40 : %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x126F81EA) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:34:40 : %ASA-5-713049: Group = INSTALL, Username = install, IP = 10.5.0.42, Security negotiation complete for User (install) Responder, Inbound SPI = 0xd2bc3605, Ou
tbound SPI = 0x126f81ea
Feb 13 2014 17:34:40 : %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0xD2BC3605) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:34:40 : %ASA-5-713120: Group = INSTALL, Username = install, IP = 10.5.0.42, PHASE 2 COMPLETED (msgid=254e55e0)
Everything is OK for vpnc too:
S7.9 main loop (receive and transmit ipsec packets)
[2014-02-13 17:34:20]
remote -> local spi: 0x126f81ea
local -> remote spi: 0xd2bc3605
VPN connection works like a charm. Then the first Phase2 rekeying
comes. The ASA generate two new SPI but still uses the two old ones:
Feb 13 2014 17:36:34 : %ASA-5-713041: Group = INSTALL, Username = install, IP = 10.5.0.42, IKE Initiator: Rekeying Phase 2, Intf tvpnout, IKE Peer 10.5.0.42 local Proxy Address 0.0.0.0, remote Proxy Address 10.65.250.1, Crypto map (SYSTEM_DEFAULT_CRYPTO_MAP)
Feb 13 2014 17:36:34 : %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x607C17E7) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:36:34 : %ASA-5-713049: Group = INSTALL, Username = install, IP = 10.5.0.42, Security negotiation complete for User (install) Responder, Inbound SPI = 0x91103994, Outbound SPI = 0x607c17e7
Feb 13 2014 17:36:34 : %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x91103994) between 10.65.224.3 and 10.5.0.42 (user= install) has been created.
Feb 13 2014 17:36:34 : %ASA-5-713120: Group = INSTALL, Username = install, IP = 10.5.0.42, PHASE 2 COMPLETED (msgid=63ad3117)
The vpnc is not aware of this behavior and complains loudly for
every incoming packet:
unknown spi 0x126f81ea from peer
At this time the VPN connection is broken. After 30s the ASA clears
the two old SPI:
Feb 13 2014 17:37:04 : %ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x126F81EA) between 10.65.224.3 and 10.5.0.42 (user= install) has been deleted.
Feb 13 2014 17:37:04 : %ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0xD2BC3605) between 10.5.0.42 and 10.65.224.3 (user= install) has been deleted.
The vpnc noticed this. Due to it have already cleared the old SPI, it
do nothing:
got isakmp delete with bogus spi (expected -1808199535, received 210), ignoring...
The ASA sends now ESP with new SPI and everything works well again
until the next Phase2 Rekeying.
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/