IPsec SA/ESP lifetime set to 300s (low value for testing purpose)
ipsec { esp-group test { lifetime 300 mode tunnel pfs dh-group14 proposal 1 { encryption aes256 hash sha256 } } ike-group test { close-action restart dead-peer-detection { action restart interval 2 timeout 6 } key-exchange ikev2 lifetime 86400 mode main proposal 1 { dh-group 14 encryption aes256 hash sha256 } } interface bond0.105 site-to-site { peer 192.168.100.1 { authentication { id 192.168.200.1 mode pre-shared-secret pre-shared-secret ipsec-test-key remote-id 172.17.0.155 } ike-group test ikev2-reauth yes local-address 192.168.200.1 tunnel 1 { esp-group test local { prefix 10.16.211.48/28 } remote { prefix 10.10.10.0/24 } } vti { bind vti1 } } } }
We can see below that the rekey-time is set to 1h (default) [1] - shorter than the configured life-time
vagrant@test-vyos# sudo swanctl --list-conns peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s local: 192.168.200.1 remote: 192.168.100.1 local pre-shared key authentication: id: 192.168.200.1 remote pre-shared key authentication: id: 172.17.0.155 peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 3600s, dpd action is restart local: 10.16.211.48/28 remote: 10.10.10.0/24 vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_192-168-100-1 { proposals = aes256-sha256-modp2048 version = 2 local_addrs = 192.168.200.1 # dhcp:no remote_addrs = 192.168.100.1 dpd_timeout = 6 dpd_delay = 2 rekey_time = 86400s mobike = yes keyingtries = 0 local { id = "192.168.200.1" auth = psk } remote { id = "172.17.0.155" auth = psk } children { peer_192-168-100-1_tunnel_1 { esp_proposals = aes256-sha256-modp2048 life_time = 300s local_ts = 10.16.211.48/28 remote_ts = 10.10.10.0/24 ipcomp = no mode = tunnel start_action = start dpd_action = restart close_action = start updown = "/etc/ipsec.d/vti-up-down vti1" if_id_in = 2 if_id_out = 2 } } } } pools { } secrets { ike_192-168-100-1 { id-local = 192.168.200.1 # dhcp:no id-remote = 192.168.100.1 id-localid = 192.168.200.1 id-remoteid = 172.17.0.155 secret = "ipsec-test-key" } }
Below are logs showing SAs being closed before the new ones are negotiated due to the lifte-time parameter being shorter than the default rekey-time.
Feb 20 12:20:37 test-vyos charon[56803]: 14[KNL] creating delete job for CHILD_SA ESP/0xcf0a98a6/192.168.200.1 Feb 20 12:20:37 test-vyos charon[56803]: 14[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{3} with SPIs cf0a98a6_i 95e831e7_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:20:37 test-vyos charon[56803]: 14[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI cf0a98a6 Feb 20 12:20:37 test-vyos charon[56803]: 14[IKE] <peer_192-168-100-1|1> scheduling CHILD_SA recreate after hard expire Feb 20 12:20:37 test-vyos charon[56803]: 12[KNL] creating delete job for CHILD_SA ESP/0x95e831e7/192.168.100.1 Feb 20 12:20:37 test-vyos charon[56803]: 10[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 95e831e7 Feb 20 12:20:37 test-vyos charon[56803]: 10[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 12:20:38 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{4} Feb 20 12:20:38 test-vyos charon[56803]: 09[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 433 [ SA No KE TSi TSr ] Feb 20 12:20:38 test-vyos charon[56803]: 13[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 433 [ SA No KE TSi TSr ] Feb 20 12:20:38 test-vyos charon[56803]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{4} established with SPIs c77aab30_i 0e863e37_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:25:38 test-vyos charon[56803]: 11[KNL] creating delete job for CHILD_SA ESP/0xc77aab30/192.168.200.1 Feb 20 12:25:38 test-vyos charon[56803]: 11[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{4} with SPIs c77aab30_i 0e863e37_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:25:38 test-vyos charon[56803]: 11[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c77aab30 Feb 20 12:25:38 test-vyos charon[56803]: 11[IKE] <peer_192-168-100-1|1> scheduling CHILD_SA recreate after hard expire Feb 20 12:25:38 test-vyos charon[56803]: 16[KNL] creating delete job for CHILD_SA ESP/0x0e863e37/192.168.100.1 Feb 20 12:25:38 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 0e863e37 Feb 20 12:25:38 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 12:25:38 test-vyos charon[56803]: 13[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{5} Feb 20 12:25:38 test-vyos charon[56803]: 13[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 579 [ SA No KE TSi TSr ] Feb 20 12:25:38 test-vyos charon[56803]: 07[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 579 [ SA No KE TSi TSr ] Feb 20 12:25:38 test-vyos charon[56803]: 07[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{5} established with SPIs c334591c_i f0f1fc43_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:30:38 test-vyos charon[56803]: 06[KNL] creating delete job for CHILD_SA ESP/0xc334591c/192.168.200.1 Feb 20 12:30:38 test-vyos charon[56803]: 06[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{5} with SPIs c334591c_i f0f1fc43_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:30:38 test-vyos charon[56803]: 06[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c334591c Feb 20 12:30:38 test-vyos charon[56803]: 06[IKE] <peer_192-168-100-1|1> scheduling CHILD_SA recreate after hard expire Feb 20 12:30:38 test-vyos charon[56803]: 14[KNL] creating delete job for CHILD_SA ESP/0xf0f1fc43/192.168.100.1 Feb 20 12:30:38 test-vyos charon[56803]: 05[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI f0f1fc43 Feb 20 12:30:38 test-vyos charon[56803]: 05[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 12:30:39 test-vyos charon[56803]: 08[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{6} Feb 20 12:30:39 test-vyos charon[56803]: 08[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 724 [ SA No KE TSi TSr ] Feb 20 12:30:39 test-vyos charon[56803]: 09[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 724 [ SA No KE TSi TSr ] Feb 20 12:30:39 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{6} established with SPIs cee82609_i 8ae8508e_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:35:39 test-vyos charon[56803]: 09[KNL] creating delete job for CHILD_SA ESP/0xcee82609/192.168.200.1 Feb 20 12:35:39 test-vyos charon[56803]: 09[IKE] <peer_192-168-100-1|1> closing expired CHILD_SA peer_192-168-100-1_tunnel_1{6} with SPIs cee82609_i 8ae8508e_o and TS 10.16.211.48/28 === 10.10.10.0/24
Second case: IPsec SA/ESP lifetime set to 28800s (big value)
```vagrant@test-vyos# sudo swanctl --list-conns peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s local: 192.168.200.1 remote: 192.168.100.1 local pre-shared key authentication: id: 192.168.200.1 remote pre-shared key authentication: id: 172.17.0.155 peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 3600s, dpd action is restart local: 10.16.211.48/28 remote: 10.10.10.0/24 vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_192-168-100-1 { proposals = aes256-sha256-modp2048 version = 2 local_addrs = 192.168.200.1 # dhcp:no remote_addrs = 192.168.100.1 dpd_timeout = 6 dpd_delay = 2 rekey_time = 86400s mobike = yes keyingtries = 0 local { id = "192.168.200.1" auth = psk } remote { id = "172.17.0.155" auth = psk } children { peer_192-168-100-1_tunnel_1 { esp_proposals = aes256-sha256-modp2048 life_time = 28800s local_ts = 10.16.211.48/28 remote_ts = 10.10.10.0/24 ipcomp = no mode = tunnel start_action = start dpd_action = restart close_action = start updown = "/etc/ipsec.d/vti-up-down vti1" if_id_in = 2 if_id_out = 2 } } } } pools { } secrets { ike_192-168-100-1 { id-local = 192.168.200.1 # dhcp:no id-remote = 192.168.100.1 id-localid = 192.168.200.1 id-remoteid = 172.17.0.155 secret = "ipsec-test-key" } }
Below logs showing IPsec SAs being renegotiated every second.
Feb 20 13:22:57 test-vyos charon[62904]: 15[KNL] creating rekey job for CHILD_SA ESP/0xc18f05db/192.168.200.1 Feb 20 13:22:57 test-vyos charon[62904]: 15[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{11} reqid 1 Feb 20 13:22:57 test-vyos charon[62904]: 16[KNL] creating rekey job for CHILD_SA ESP/0x84fa691e/192.168.100.1 Feb 20 13:22:57 test-vyos charon[62904]: 15[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 20 [ N(REKEY_SA) SA No KE TSi TSr ] Feb 20 13:22:57 test-vyos charon[62904]: 08[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 20 [ SA No KE TSi TSr ] Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{11} established with SPIs ca2f48cc_i 59b5f175_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{11} established with SPIs ca2f48cc_i 59b5f175_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{10} with SPIs c18f05db_i (0 bytes) 84fa691e_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:57 test-vyos charon[62904]: 08[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c18f05db Feb 20 13:22:57 test-vyos charon[62904]: 05[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 84fa691e Feb 20 13:22:57 test-vyos charon[62904]: 05[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 13:22:58 test-vyos charon[62904]: 06[KNL] creating rekey job for CHILD_SA ESP/0xca2f48cc/192.168.200.1 Feb 20 13:22:58 test-vyos charon[62904]: 06[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{12} reqid 1 Feb 20 13:22:58 test-vyos charon[62904]: 06[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 22 [ N(REKEY_SA) SA No KE TSi TSr ] Feb 20 13:22:58 test-vyos charon[62904]: 09[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 22 [ SA No KE TSi TSr ] Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{12} established with SPIs c17a2b67_i 450197f3_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{12} established with SPIs c17a2b67_i 450197f3_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{11} with SPIs ca2f48cc_i (0 bytes) 59b5f175_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:58 test-vyos charon[62904]: 09[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI ca2f48cc Feb 20 13:22:58 test-vyos charon[62904]: 16[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 59b5f175 Feb 20 13:22:58 test-vyos charon[62904]: 16[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 13:22:59 test-vyos charon[62904]: 07[KNL] creating rekey job for CHILD_SA ESP/0xc17a2b67/192.168.200.1 Feb 20 13:22:59 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{13} reqid 1 Feb 20 13:22:59 test-vyos charon[62904]: 12[KNL] creating rekey job for CHILD_SA ESP/0x450197f3/192.168.100.1 Feb 20 13:22:59 test-vyos charon[62904]: 07[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 24 [ N(REKEY_SA) SA No KE TSi TSr ] Feb 20 13:22:59 test-vyos charon[62904]: 14[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 24 [ SA No KE TSi TSr ] Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{13} established with SPIs cd49d169_i 1cbe3e1a_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{13} established with SPIs cd49d169_i 1cbe3e1a_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{12} with SPIs c17a2b67_i (0 bytes) 450197f3_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:22:59 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c17a2b67 Feb 20 13:22:59 test-vyos charon[62904]: 06[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 450197f3 Feb 20 13:22:59 test-vyos charon[62904]: 06[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 13:23:00 test-vyos charon[62904]: 05[KNL] creating rekey job for CHILD_SA ESP/0xcd49d169/192.168.200.1 Feb 20 13:23:00 test-vyos charon[62904]: 05[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{14} reqid 1 Feb 20 13:23:00 test-vyos charon[62904]: 11[KNL] creating rekey job for CHILD_SA ESP/0x1cbe3e1a/192.168.100.1 Feb 20 13:23:00 test-vyos charon[62904]: 05[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 26 [ N(REKEY_SA) SA No KE TSi TSr ] Feb 20 13:23:00 test-vyos charon[62904]: 07[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 26 [ SA No KE TSi TSr ] Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{14} established with SPIs c451f052_i 0e70b633_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{14} established with SPIs c451f052_i 0e70b633_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{13} with SPIs cd49d169_i (0 bytes) 1cbe3e1a_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 13:23:00 test-vyos charon[62904]: 07[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI cd49d169 Feb 20 13:23:00 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 1cbe3e1a Feb 20 13:23:00 test-vyos charon[62904]: 14[IKE] <peer_192-168-100-1|1> CHILD_SA closed
Applying a fix to the charon peer.j2 template - the fix sets the IPsec SA rekey-time instead of the life-time parameter as per the documentation [1], it is also the same way IKE timers are set.
IPsec SA/ESP rekey-time set to 300s (low value for testing purpose)
vagrant@test-vyos# sudo swanctl --list-conns peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s local: 192.168.200.1 remote: 192.168.100.1 local pre-shared key authentication: id: 192.168.200.1 remote pre-shared key authentication: id: 172.17.0.155 peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 300s, dpd action is restart local: 10.16.211.48/28 remote: 10.10.10.0/24 vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_192-168-100-1 { proposals = aes256-sha256-modp2048 version = 2 local_addrs = 192.168.200.1 # dhcp:no remote_addrs = 192.168.100.1 dpd_timeout = 6 dpd_delay = 2 rekey_time = 86400s mobike = yes keyingtries = 0 local { id = "192.168.200.1" auth = psk } remote { id = "172.17.0.155" auth = psk } children { peer_192-168-100-1_tunnel_1 { esp_proposals = aes256-sha256-modp2048 rekey_time = 300s local_ts = 10.16.211.48/28 remote_ts = 10.10.10.0/24 ipcomp = no mode = tunnel start_action = start dpd_action = restart close_action = start updown = "/etc/ipsec.d/vti-up-down vti1" if_id_in = 2 if_id_out = 2 } } } } pools { } secrets { ike_192-168-100-1 { id-local = 192.168.200.1 # dhcp:no id-remote = 192.168.100.1 id-localid = 192.168.200.1 id-remoteid = 172.17.0.155 secret = "ipsec-test-key" } }
Below logs showing the old IPsec SAs being deleted after new one have been established
Feb 20 12:39:21 test-vyos charon[59520]: 12[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{1} Feb 20 12:39:21 test-vyos charon[59520]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{1} established with SPIs cb3ed7a6_i a0fd057a_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:44:10 test-vyos charon[59520]: 10[KNL] creating rekey job for CHILD_SA ESP/0xcb3ed7a6/192.168.200.1 Feb 20 12:44:10 test-vyos charon[59520]: 10[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{2} reqid 1 Feb 20 12:44:10 test-vyos charon[59520]: 12[KNL] creating rekey job for CHILD_SA ESP/0xa0fd057a/192.168.100.1 Feb 20 12:44:10 test-vyos charon[59520]: 10[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 136 [ N(REKEY_SA) SA No KE TSi TSr ] Feb 20 12:44:10 test-vyos charon[59520]: 14[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 136 [ SA No KE TSi TSr ] Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs c6968ce1_i d4170a38_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs c6968ce1_i d4170a38_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{1} with SPIs cb3ed7a6_i (0 bytes) a0fd057a_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:44:10 test-vyos charon[59520]: 14[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI cb3ed7a6 Feb 20 12:44:10 test-vyos charon[59520]: 15[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI a0fd057a Feb 20 12:44:10 test-vyos charon[59520]: 15[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 12:48:45 test-vyos charon[59520]: 07[KNL] creating rekey job for CHILD_SA ESP/0xd4170a38/192.168.100.1 Feb 20 12:48:45 test-vyos charon[59520]: 07[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{3} reqid 1 Feb 20 12:48:45 test-vyos charon[59520]: 07[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 275 [ N(REKEY_SA) SA No KE TSi TSr ] Feb 20 12:48:45 test-vyos charon[59520]: 06[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 275 [ SA No KE TSi TSr ] Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{3} established with SPIs ca91a8ff_i 0fb4b426_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{3} established with SPIs ca91a8ff_i 0fb4b426_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{2} with SPIs c6968ce1_i (0 bytes) d4170a38_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 12:48:45 test-vyos charon[59520]: 06[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c6968ce1 Feb 20 12:48:45 test-vyos charon[59520]: 05[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI d4170a38 Feb 20 12:48:45 test-vyos charon[59520]: 05[IKE] <peer_192-168-100-1|1> CHILD_SA closed Feb 20 12:53:15 test-vyos charon[59520]: 16[KNL] creating rekey job for CHILD_SA ESP/0x0fb4b426/192.168.100.1 Feb 20 12:53:15 test-vyos charon[59520]: 16[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{4} reqid 1
Second case: IPsec SA/ESP rekey-time set to 28800s (big value)
vagrant@test-vyos# sudo swanctl --list-conns peer_192-168-100-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 2s local: 192.168.200.1 remote: 192.168.100.1 local pre-shared key authentication: id: 192.168.200.1 remote pre-shared key authentication: id: 172.17.0.155 peer_192-168-100-1_tunnel_1: TUNNEL, rekeying every 28800s, dpd action is restart local: 10.16.211.48/28 remote: 10.10.10.0/24 vagrant@test-vyos# sudo cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_192-168-100-1 { proposals = aes256-sha256-modp2048 version = 2 local_addrs = 192.168.200.1 # dhcp:no remote_addrs = 192.168.100.1 dpd_timeout = 6 dpd_delay = 2 rekey_time = 86400s mobike = yes keyingtries = 0 local { id = "192.168.200.1" auth = psk } remote { id = "172.17.0.155" auth = psk } children { peer_192-168-100-1_tunnel_1 { esp_proposals = aes256-sha256-modp2048 rekey_time = 28800s local_ts = 10.16.211.48/28 remote_ts = 10.10.10.0/24 ipcomp = no mode = tunnel start_action = start dpd_action = restart close_action = start updown = "/etc/ipsec.d/vti-up-down vti1" if_id_in = 2 if_id_out = 2 } } } } pools { } secrets { ike_192-168-100-1 { id-local = 192.168.200.1 # dhcp:no id-remote = 192.168.100.1 id-localid = 192.168.200.1 id-remoteid = 172.17.0.155 secret = "ipsec-test-key" } }
Below logs showing new IPsec SAs being established according to the set rekey-time (not longer every each second)
Feb 20 13:24:01 test-vyos charon[63067]: 12[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{1} Feb 20 13:24:01 test-vyos charon[63067]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA peer_192-168-100-1_tunnel_1{1} established with SPIs c0b657f9_i 794d1ed3_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 20:52:27 test-vyos charon[63067]: 09[KNL] creating rekey job for CHILD_SA ESP/0x794d1ed3/192.168.100.1 Feb 20 20:52:27 test-vyos charon[63067]: 14[IKE] <peer_192-168-100-1|1> establishing CHILD_SA peer_192-168-100-1_tunnel_1{2} reqid 1 Feb 20 20:52:27 test-vyos charon[63067]: 14[ENC] <peer_192-168-100-1|1> generating CREATE_CHILD_SA request 12993 [ N(REKEY_SA) SA No KE TSi TSr ] Feb 20 20:52:27 test-vyos charon[63067]: 08[ENC] <peer_192-168-100-1|1> parsed CREATE_CHILD_SA response 12993 [ SA No KE TSi TSr ] Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> inbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs cbeb7565_i 2fbca740_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> outbound CHILD_SA peer_192-168-100-1_tunnel_1{2} established with SPIs cbeb7565_i 2fbca740_o and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> closing CHILD_SA peer_192-168-100-1_tunnel_1{1} with SPIs c0b657f9_i (0 bytes) 794d1ed3_o (0 bytes) and TS 10.16.211.48/28 === 10.10.10.0/24 Feb 20 20:52:27 test-vyos charon[63067]: 08[IKE] <peer_192-168-100-1|1> sending DELETE for ESP CHILD_SA with SPI c0b657f9 Feb 20 20:52:27 test-vyos charon[63067]: 13[IKE] <peer_192-168-100-1|1> received DELETE for ESP CHILD_SA with SPI 794d1ed3 Feb 20 20:52:27 test-vyos charon[63067]: 13[IKE] <peer_192-168-100-1|1> CHILD_SA closed
[1] https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html