Hello,

On Fri, 2015-06-05 at 15:55 +0200, Wolfgang Apolinarski wrote:
> Hi!
> 
> I performed some tests with ipfire and the Windows VPN client (for the
> rekey=no issue). I usually use short-time VPN connections (<3 hours), so I
> did not  recognize any problems.
> 
> During the tests, I did not find any configuration that allowed me a stable
> VPN connection, all connections drop after 3-4 hours (IKE re-negotiation,
> CHILD_SA re-negotiation works fine). The problem could also be located in
> one of the used routers... If you have any suggestion on what configuration
> I should test as well, please let me know.

This clearly is the IKE re-negotiation. The messages suggest that from
the log below and the configuration, too.

> My default configuration (1st try):
> conn WinAndroidVPN
>     left=%defaultroute
>     leftsubnet=0.0.0.0/0
>     leftfirewall=yes
>     lefthostaccess=yes
>     leftallowany=yes
>     leftcert=/var/ipfire/certs/hostcert.pem
>     ike=aes256-sha1-modp1024!
>     esp=aes256-sha1!
>     right=%any
>     keyexchange=ikev2
>     compress=yes
>     dpdaction=clear
>     dpddelay=30s
>     auto=add
>     rightsourceip=%dhcp
>     ikelifetime=4h
>     lifetime=2h
>     keylife=8h
>     rightcert=/var/ipfire/certs/WinAndroidVPNcert.pem
> 
> The protocol for this config is located here: http://pastebin.com/iXjjp71R
> 
> 2nd try changes:
> ikelifetime=4h
> lifetime=90m
> The protocol for the 2nd config is located here:
> http://pastebin.com/xyarBvub
> 
> 3rd try changes:
> rekey=no
> ikelifetime=4h
> lifetime=2h
> The protocol for the 3rd config is located here:
> http://pastebin.com/jmPNzxUX
> 
> So, sorry, I was not able to find a stable connection and have no suggestion
> on how to change the default config such that a stable connection with
> Windows 7/8.1 is possible.

Have you tried to capture the packets on the client as well and check if
the IKE messages reach that system? strongSwan had some bugs/features?
in the past where it ignored IKE messages. Maybe that is the case in the
Windows client - or maybe that is something in the standard.

That way we can at least make sure that there is some other NAT router
that is causing the problems...

Best,
-Michael

> 
> Best regards,
> Wolfgang
> 
> 
>