[Swan-dev] IPSec restarts intermittently and crashes sometimes, PAYLOAD_MALFORMED issue observed: resend without logs
paul at nohats.ca
Fri Feb 5 20:50:28 UTC 2016
On Fri, 5 Feb 2016, Rajeev Gaur wrote:
> 1) Please suggest how can I make the same device initiator as well as
> responder. I have got the devices now. Looking into this.
Set a really long keylife, eg ikelifetime=24h salifetime=24h. then
initiate the connection and wait for them to rekey to you.
> 2) Just for clarity, because the sites are acting as initiator and responder
> and their ikelifetime and salifetime are different, you suggested to keep
> them same so that even though they switch roles, one role does not hold on
> to complete the duration of other role. The roles are switched at the same
> time durations. Also, rather then my devices trigger the keying, it is
> triggered when cisco router HST (hello state timer) expires. Am I right?
If you initiating works, then putting short lifetimes makes sure you
will rekeyy before the other end decides it must rekey to you.
More information about the Swan-dev