[Swan] Decoding IPSEC_RESPONDER_LIFETIME

heiko.helmle at horiba.com heiko.helmle at horiba.com
Wed May 20 13:14:18 EEST 2015


Hello list,

I have to communicate to a cisco peer that seems to disagree on lifetimes 
- it sends informational payload IPSEC_RESPONDER_LIFETIME and sometimes 
just deletes SAs and then ignores any further attempts to reestablish, 
resulting in a stale ISAKMP. That means I have to --down and --up the 
connection to force a new Phase 1. 

I'm suspecting that thie IPSEC_RESPONDER_LIFETIME might contain 
information that brings me closer to getting this connection stable - 
unfortunately I cannot do anything with the payload:

May 20 12:06:40 millhouse pluto[1584]: | ISAKMP Notification Payload
May 20 12:06:40 millhouse pluto[1584]: |   00 00 00 1c  00 00 00 01  03 04 
60 00

How do I interpret those values? Or do I have to enable debug logging to 
see what Lifetime the Cisco sends?

And in a related question: My peer seems to have enabled some sort of 
inactivity (or idle) timeout. Does LibreSWAN have a similar feature? Or 
will auto=ondemand suffice once the SAs have timed out?

Best Regards
 Heiko Helmle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150520/f6c3db9c/attachment.html>


More information about the Swan mailing list