ikev2 disconnecting

[anartikov]

Describe the issue Sorry for my english. I use a translator. First, the VPN stops working, that is, the traffic does not pass, the sites do not open. Then the connection turns itself off. This error may appear both 5 minutes after the connection, and after a few hours.

Logs 19:45:15 I connected 20:17 I noticed that the connection was lost

Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match] Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N,CP,SA,TSi,TSr} Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: ignoring CERTREQ payload that is not ASN1 Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: established IKE SA; authenticated using RSA with SHA1 and peer certificate 'CN=NartikovNEW, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #7: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=8da8b43e chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match] Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #7: established Child SA using #6; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x8da8b43e <0x8732636b xfrm=AES_GCM_16_128-NONE NATD=95.165.150.94:35102 DPD=active} Mar 7 19:45:15 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #4: INFORMATIONAL request has duplicate Message ID 3; retransmitting response Mar 7 19:46:12 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #4: INFORMATIONAL request has duplicate Message ID 3; retransmitting response Mar 7 19:48:06 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #4: INFORMATIONAL request has duplicate Message ID 3; retransmitting response Mar 7 19:50:00 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #4: INFORMATIONAL request has duplicate Message ID 3; retransmitting response Mar 7 19:51:54 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #4: INFORMATIONAL request has duplicate Message ID 3; retransmitting response Mar 7 20:13:40 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #7: ESP traffic information: in=2MB out=25MB Mar 7 20:13:40 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94: kernel: xfrm XFRM_MSG_DELPOLICY for flow %discard(discard)(in) encountered unexpected policy Mar 7 20:13:40 NartServ2 pluto[1622]: ERROR: "ikev2-cp"[3] 95.165.150.94 #7: kernel: xfrm XFRM_MSG_DELPOLICYdelete(UNUSED) response for flow (in): No such file or directory (errno 2) Mar 7 20:13:40 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #7: raw_policy in teardown_half_ipsec_sa() failed to delete inbound Mar 7 20:13:40 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: established IKE SA Mar 7 20:13:41 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: INFORMATIONAL request has duplicate Message ID 2; retransmitting response Mar 7 20:13:42 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: INFORMATIONAL request has duplicate Message ID 2; retransmitting response Mar 7 20:13:45 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: INFORMATIONAL request has duplicate Message ID 2; retransmitting response Mar 7 20:13:52 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: INFORMATIONAL request has duplicate Message ID 2; retransmitting response Mar 7 20:14:06 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: INFORMATIONAL request has duplicate Message ID 2; retransmitting response Mar 7 20:14:34 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #6: INFORMATIONAL request has duplicate Message ID 2; retransmitting response

Server (please complete the following information) CentOS Linux release 7.9.2009 Libreswan version is 4.6

Client (please complete the following information)

Device: PC OS: Windows 21H2 19044.1566 VPN mode: IKEv2

[anartikov]

Another similar case

Mar 7 20:45:19 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match] Mar 7 20:45:19 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Mar 7 20:45:20 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N,CP,SA,TSi,TSr} Mar 7 20:45:20 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: ignoring CERTREQ payload that is not ASN1 Mar 7 20:45:20 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: established IKE SA; authenticated using RSA with SHA1 and peer certificate 'CN=NartikovNEW, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' Mar 7 20:45:20 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #9: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=a4cf2a00 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match] Mar 7 20:45:20 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #9: established Child SA using #8; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0xa4cf2a00 <0x6fe92d0c xfrm=AES_GCM_16_128-NONE NATD=95.165.150.94:35121 DPD=active} Mar 7 20:51:49 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #9: ESP traffic information: in=269KB out=873KB Mar 7 20:51:49 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94: kernel: xfrm XFRM_MSG_DELPOLICY for flow %discard(discard)(in) encountered unexpected policy Mar 7 20:51:49 NartServ2 pluto[1622]: ERROR: "ikev2-cp"[3] 95.165.150.94 #9: kernel: xfrm XFRM_MSG_DELPOLICYdelete(UNUSED) response for flow (in): No such file or directory (errno 2) Mar 7 20:51:49 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #9: raw_policy in teardown_half_ipsec_sa() failed to delete inbound Mar 7 20:51:49 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: established IKE SA Mar 7 20:51:50 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: INFORMATIONAL request has duplicate Message ID 2; retransmitting response Mar 7 20:51:51 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: INFORMATIONAL request has duplicate Message ID 2; retransmitting response Mar 7 20:51:54 NartServ2 pluto[1622]: "ikev2-cp"[3] 95.165.150.94 #8: INFORMATIONAL request has duplicate Message ID 2; retransmitting response

[hwdsl2]

@anartikov Hello! From your logs, it looks like the IKEv2 connection disconnected after some minutes, but without logging the specific error that triggered the disconnection. I suspect that this may be a Libreswan bug that may or may not have been fixed in the latest code.

Could you instead open an issue at https://github.com/libreswan/libreswan/issues, and perhaps ping @letoams and/or @cagney? I'm closing this one in favor of an issue in the Libreswan repo.