[Swan-dev] IPSec restarts intermittently and crashes sometimes, PAYLOAD_MALFORMED issue observed: resend without logs

Paul Wouters paul at nohats.ca
Fri Feb 5 20:50:28 UTC 2016


On Fri, 5 Feb 2016, Rajeev Gaur wrote:

> 1) Please suggest how can I make the same device initiator as well as
> responder. I have got the devices now. Looking into this.

Set a really long keylife, eg ikelifetime=24h salifetime=24h. then
initiate the connection and wait for them to rekey to you.

> 2) Just for clarity, because the sites are acting as initiator and responder
> and their ikelifetime and salifetime are different, you suggested to keep
> them same so that even though they switch roles, one role does not hold on
> to complete the duration of other role. The roles are switched at the same
> time durations. Also, rather then my devices trigger the keying, it is
> triggered when cisco router HST (hello state timer) expires. Am I right?

If you initiating works, then putting short lifetimes makes sure you
will rekeyy before the other end decides it must rekey to you.

Paul


More information about the Swan-dev mailing list