Skip to content

IPSec: connection stops retrying after several attempts when remote peer is unresponsive #1179

New issue
New issue
Closed
Bug
Closed
IPSec: connection stops retrying after several attempts when remote peer is unresponsive#1179
Bug
Labels
verifiedAll test cases were verified successfully
Milestone
NethSecurity 8.6
@francio87

Description

@francio87
francio87
opened on Apr 15, 2025

When the remote peer does not respond to an IPSec connection attempt, the firewall stops retrying after a certain number of attempts.

Steps to reproduce

  • Set debug=1 in the IPSec (uci set ipsec.debug=1)
  • Configure an IPSec connection to a non-responsive IP address.
  • Observe the logs and check with tcpdump

Expected behavior

The firewall should continue attempting to establish the IPSec connection indefinitely

Actual behavior

After 15 retries, the system stops attempting to establish the IPSec connection:

Apr 15 17:57:00 nsec-client ipsec: 00[DMN] load-all: successfully loaded 1 connections, 0 unloaded
Apr 15 17:57:04 nsec-client ipsec: 06[IKE] retransmit 1 of request with message ID 0
Apr 15 17:57:04 nsec-client ipsec: 06[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
...
...
Apr 15 17:58:29 nsec-client ipsec: 07[IKE] retransmit 5 of request with message ID 0
Apr 15 17:58:29 nsec-client ipsec: 07[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 17:59:45 nsec-client ipsec: 14[IKE] giving up after 5 retransmits
Apr 15 17:59:45 nsec-client ipsec: 14[IKE] peer not responding, trying again (2/3)
Apr 15 17:59:45 nsec-client ipsec: 14[IKE] initiating IKE_SA ns_e355a985[1] to 192.168.122.114
Apr 15 17:59:45 nsec-client ipsec: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
...
...
Apr 15 18:01:14 nsec-client ipsec: 06[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 18:02:30 nsec-client ipsec: 08[IKE] giving up after 5 retransmits
Apr 15 18:02:30 nsec-client ipsec: 08[IKE] peer not responding, trying again (3/3)
Apr 15 18:02:30 nsec-client ipsec: 08[IKE] initiating IKE_SA ns_e355a985[1] to 192.168.122.114
Apr 15 18:02:30 nsec-client ipsec: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 15 18:02:30 nsec-client ipsec: 08[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 18:02:34 nsec-client ipsec: 16[IKE] retransmit 1 of request with message ID 0
Apr 15 18:02:34 nsec-client ipsec: 16[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
...
...
Apr 15 18:05:15 nsec-client ipsec: 14[IKE] giving up after 5 retransmits

Proposed solution

Se the option keyingtries=0 (infinite retries) in the IPSec configuration.

root@nsec-client:~# uci show ipsec.ns_e355a985
ipsec.ns_e355a985=remote
ipsec.ns_e355a985.ns_name='ipsec-test'
ipsec.ns_e355a985.authentication_method='psk'
ipsec.ns_e355a985.gateway='192.168.122.114'
ipsec.ns_e355a985.keyexchange='ike'
ipsec.ns_e355a985.local_identifier='@tun1.local'
ipsec.ns_e355a985.local_ip='192.168.122.63'
ipsec.ns_e355a985.enabled='1'
ipsec.ns_e355a985.remote_identifier='@tun1.remote'
ipsec.ns_e355a985.pre_shared_key='mysupersecretpsk'
ipsec.ns_e355a985.crypto_proposal='ns_e355a985_ike'
ipsec.ns_e355a985.rekeytime='3600'
ipsec.ns_e355a985.tunnel='ns_e355a985_tunnel_1'
root@nsec-client:~# uci set ipsec.ns_e355a985.keyingtries=0
root@nsec-client:~# uci commit
root@nsec-client:~# /etc/init.d/swanctl restart

The log (and tcpdump) confirm that the system keeps attempting to connect indefinitely:

Apr 15 15:44:26 nsec-client ipsec: 15[IKE] peer not responding, trying again (26/0)
Apr 15 15:44:26 nsec-client ipsec: 15[IKE] initiating IKE_SA ns_e355a985[1] to 192.168.122.114
Apr 15 15:44:26 nsec-client ipsec: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 15 15:44:26 nsec-client ipsec: 15[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 15:44:30 nsec-client ipsec: 08[IKE] retransmit 1 of request with message ID 0
Apr 15 15:44:30 nsec-client ipsec: 08[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 15:44:37 nsec-client ipsec: 07[IKE] retransmit 2 of request with message ID 0
Apr 15 15:44:37 nsec-client ipsec: 07[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 15:44:50 nsec-client ipsec: 06[IKE] retransmit 3 of request with message ID 0
Apr 15 15:44:50 nsec-client ipsec: 06[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 15:45:13 nsec-client ipsec: 03[IKE] retransmit 4 of request with message ID 0
Apr 15 15:45:13 nsec-client ipsec: 03[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 15:45:55 nsec-client ipsec: 10[IKE] retransmit 5 of request with message ID 0
Apr 15 15:45:55 nsec-client ipsec: 10[NET] sending packet: from 192.168.122.63[500] to 192.168.122.114[500] (464 bytes)
Apr 15 15:47:11 nsec-client ipsec: 11[IKE] giving up after 5 retransmits
Apr 15 15:47:11 nsec-client ipsec: 11[IKE] peer not responding, trying again (27/0)

See also

Metadata

Metadata

Assignees

No one assigned

    Labels

    verifiedAll test cases were verified successfully

    Type

    Bug

    Projects

    NethSecurity

    Status

    Done ✅

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions