[Swan] Problem with NAT and Dynamic IP address change

Paul Wouters paul at nohats.ca
Thu Jul 2 02:11:17 EEST 2015


On Fri, 26 Jun 2015, heiko.helmle at horiba.com wrote:

> > 000 #1262: "blackswan"[5] 86.181.114.105:4500 STATE_MAIN_R3 (sent MR3,
> > ISAKMP SA established); EVENT_SA_REPLACE in 630s; newest ISAKMP;
> > lastdpd=2640s(seq in:22161 out:0); idle; import:not set
> ...
> 
> this is something i've seen pretty often too. Shouldn't this SA have been deleted a long time ago? with a dpd action (clear) being long
> overdue? Because AFAIU this is what keeps the other gateway from initiating a new one.
> 
> My hardware gateways act this way, but libreswan does not. And this mismatch in behaviour keeps connections in broken state for quite
> some time if the SAs have long lifetimes.

Can you try 3.14rc3 from download.libreswan.org/development/

We fixed an issue with DPD being "forgoten" to clean up the SA.

Paul


More information about the Swan mailing list