IPSec sessions on the firewall not terminated after a while of being idle?

Zyxel_USG_User

I have the following scenario: I manually connect with a device (smartphone or notebook) and via IPSec VPN client (the ones generated by the USG-20W-VPN), StrongSwan resp. Win1x Client from outside.

Now, when I take the device(s) again in WiFi range, they reconnect to the WiFi ergo the IPSec tunnel is not used anymore. Now, If I log onto the firewall even hours after having used the IPSec tunnels, the tunnels are shown as active in the overview, even if they are long time not used anymore. All the traffic goes via LAN cable or WiFi, since hours. Now, only if I click the refresh button up right in the overview, I just afterwards see the IPSec tunnel disconnecting.

Is this a bug, or a feature? 😋

Shouldn't the firewall disconnect after an idle time and a preset timeout, the tunnel from itself?

The log shows that only after me actively pressing refresh, the connection has been terminated. The device has been used via WiFi for 1-2 hours already, but the IPSec tunnel of this device was still left in limbo state on the firewall, even if manually terminated on smartphone :) as I understand.

Summary- IPSec connection definitely used maximally between 11:51 (correct timestamp), until 17:51. Afterwards, smartphone changed to WiFi. I have to stop the StrongSwan client, as it tries to reconnect unsuccessfully. So, manually stopped the VPN, and smartphone now connected via WiFi to internet. Latest by 17:52 the IPSec connection is not used anymore, but still not only shown as active in the GUI, but also in the logs there is no disconnection. The disconnection occurs only after I pressed the refresh button on the GUI.

Zyxel_Judy

Hi @Zyxel_USG_User ,

Which firmware version are you using?

We tested the scenario using a USG 20W VPN with firmware version 5.39P1, but our logs and VPN dashboard correctly showed the timestamp when our VPN clients disconnected.

Please check your firmware version and verify the exact time when your VPN clients disconnected against what's shown in your device GUI. If the issue persists, we may need a remote session to investigate further.

Zyxel_USG_User

Firmware on the firewall is V5.39(ABAR.1).

I assume that we misunderstand each other. When I deliberately disconnect and reconnect, the timestamps are accurate in the logfiles and the GUI- as you posted as well.

Now, to the current problem:

1. take a smartphone, eg with StrongSwan IPSec VPN.
2. Activate the tunnel session to the firewall, then
3. put the phone in an isolated box so that it has no data traffic whilst the tunnel has not been terminated. Or put it in flight mode.
4. You will see that the tunnel, despite no traffic, is not timed out or disconnected on the firewall by the firewall itself even after hours.

Looking at the smartphone in flight mode - phone tries to terminate the VPN in the StrongSwan log because it cannot reach (!) which is a bit funny from the procedural point of view, obviously data does not 'get out'. If it cannot reach the firewall, why does it still try to send termination data out…

Looking at the firewall side, the firewall even if it does not receive data, remains in limbo status showing the connection in the GUI indefinitely even if no data is sent and received via that connection.

When I remove the flight mode on the smartphone, then manually terminate the tunnel/disconnect in StrongSwan, it logs and displays correctly the tunnel termination. Otherwise, no tunnel termination on the firewall, from the firewall itself for an 'gone idle' connection, indefinitely. Well, firewall reboot removes the connection :) but that should not be the standard procedure for vpn tunnels in indefinite states of connection.

What I assume is that the firewall does not terminate an IPSec connection from itself after a threshhold of no-data has been reached?

Zyxel_Judy

Hi @Zyxel_USG_User ,

The symptom you observed is caused by a design limitation between the firewall and Android StrongSwan.

When an Android device with StrongSwan establishes a VPN connection and then switches to airplane mode, it does not send a VPN disconnection signal to the firewall. This causes the dashboard shows that the VPN connection remains active, and there is no VPN disconnection logs in the log pages.

Workaround Solution:
Enable the Enable user idle detection function on your firewall. This allows the firewall to actively monitor VPN user activity and automatically disconnect VPN connections if its idle time reached the setting time.

PeterUK

If you set Phase 2 SA life time low that might also drop the session?

Zyxel_USG_User

https://community.zyxel.com/en/discussion/comment/77039#Comment_77039

I enabled the setting, see pics. The remote access users are included in the 'users' group, so the ticked box should be inherited by them too. However, it does not work. The connection is still in limbo after ages, shown as active, with the internal IP assigned and all that. It just shows no data traffic over the connection, which is the only correct thing at it.

Zyxel_Judy

Hi @Zyxel_USG_User ,

We would like to update you regarding this case.

The symptom you observed is due to a design limitation. The firewall does not actively initiate DPD (Dead Peer Detection) checks to verify if the StrongSwan VPN client is still connected. As a result, both the dashboard and Monitor page will continue to show the VPN as connected when the phone is in the Airplane mode.

Regarding the User idle detection feature, this only applies to local user login sessions. The system will detect idle time for local GUI logins, but this does not affect or monitor VPN connection users.

Zyxel_USG_User

Thank you for the reply. May I add, it is not only with StrongSwan VPN client, but also with the native Windows 11 or 10 VPN clients.

From a practical perspective- what is your view about being able to hijack a stale VPN connection, when the endpoint has lost connection but the firewall still maintains that connection upright? I am aware of the encryption keys, session infos etc nevertheless a stale-gone secure connection is potentially-theoretically keeping an access channel open.

And if there is a theoretical possibility with very low risk to hijack these stale VPN sessions, will you implement DPD or equivalents for liveness connection detection for VPN tunnels?

PeterUK

I tested my idea set Phase 2 SA life time low but it seem that just disconnects the client from what I can tell StrongSwan does not re-key unless the StrongSwan was going to re-key some hours later.

Edit after some more testing StrongSwan re-key every 7200 seconds so if you put that in Phase 2 SA life time StrongSwan will stay connected and rekey every 2 hours if you then go to airplane mode then the VPN will still show as connected but will disconnect somewhere within 2 hours depending when the last rekey was.