so i've finally got an x509 VPN setup on a vyatta-based router, using strongswan v4.5.2. i can successfully connect & transfer large amounts of traffic over the VPN, but at some point i randomly get disconnected; it appears that key renegotiation is failing. there doesn't seem to be a pattern to it; it can stay up for half a day & transfer 10 gigabytes worth before it crashes, or it can stay up for 20 minutes with little traffic before a disconnect. after i get disconnected, i have to restart strongswan before i can connect again.
/etc/ipsec.conf
Code:
# generated by /opt/vyatta/sbin/vpn-config.pl
version 2.0
config setup
charonstart=no
interfaces="%none"
nat_traversal=yes
virtual_private="%v4:0.0.0.0/0"
conn clear
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn private
auto=ignore
conn block
auto=ignore
conn packetdefault
auto=ignore
conn %default
keyexchange=ikev1
### Vyatta L2TP VPN Begin ###
include /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN End ###
/etc/ipsec.d/tunnels/remote-access
Code:
### Vyatta L2TP VPN Begin ###
conn remote-access-win-aaa
rightprotoport=17/1701
also=remote-access
conn remote-access-mac-zzz
rightprotoport=17/%any
also=remote-access
conn remote-access
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
rightca=%same
leftcert=/etc/ipsec.d/certs/Gateway.crt
pfs=no
left=xx.xx.xx.xx
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
auto=add
ike=aes256-sha1,3des-sha1!
dpddelay=15
dpdtimeout=45
dpdaction=clear
esp=aes256-sha1,3des-sha1!
rekey=no
ikelifetime=3600
### Vyatta L2TP VPN End ###
here is server log during a disconnect
Code:
Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag
Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: responding to Quick Mode
Jun 16 12:59:35 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #201: cannot install eroute -- it is in use for "remote-access-mac-zzz"[193] y.y.y.y:4500 #193
Jun 16 12:59:36 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:36 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
Jun 16 12:59:38 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:38 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
Jun 16 12:59:42 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:42 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
Jun 16 12:59:50 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jun 16 12:59:50 Gateway pluto[3492]: "remote-access-mac-zzz"[201] y.y.y.y:4500 #200: sending encrypted notification INVALID_MESSAGE_ID to y.y.y.y:4500
Quick Mode I1 message is unacceptable because it uses a previously used Message ID
those "previously used message IDs" seem to be part of the problem, but as usual, google turns up next to nothing useful, only that other people have had this problem, with no solution.