[Swan] Decoding IPSEC_RESPONDER_LIFETIME
heiko.helmle at horiba.com
heiko.helmle at horiba.com
Wed May 20 18:20:04 EEST 2015
> So from my head, probably completely wrong type of before coffee
> calculation, that could be lifetime in seconds (00 00 00 01) for
> 1c00 seconds, aka 7168 seconds, prob 7200 (2h) when it started?
Well the message comes in during the initial Phase 1 - so it might be that
Cisco defaults to something like 7168 seconds?
Peer admin configured 28800s on the GUI, but I couldn't find out what
phase.
well... what phase is IPSEC_RESPONDER_LIFETIME related to? ikelifetime or
salifetime?
I experimented and reduced both to 1800s. That at least takes the pressure
from me babysitting the connection - but still the peer seems to throw the
phase 1 away and Libreswan doesn't seem to notice, resulting in a broken
tunnel...
000 State list:
000
000 #54: "remote":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_EXPIRE in 144s; lastdpd=938s(seq in:0 out:0); idle; import:local
rekey
000 #63: "remote":4500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_v1_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:local
rekey
000 #61: "remote":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 57s; newest ISAKMP; lastdpd=300s(seq in:0 out:0);
idle; import:local rekey
with a dpdtimeout of 120 - shouldn't Libreswan have thrown away those (#54
and #61)? Or does DPD only work on Phase 2?
> ps. pet peeve: It is "Libreswan" or "libreswan", not "LibreSWAN" -
> SWAN is a trademark of RSA Inc.
I'll try to remember that :)
Best Regards
Heiko Helmle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150520/f98508bd/attachment.html>
More information about the Swan
mailing list