[Swan] Stronswan / Libreswan - Tunnel disconnects and becomes prospective erouted

Paul Wouters paul at nohats.ca
Tue Sep 20 16:18:00 UTC 2016


On Tue, 20 Sep 2016, Madden, Joe wrote:

> Just trying to resolve an issue we have with VPN’s disconnecting from a Stronswan client.
> 
> When I restart my end of the VPN the VPNs establish and operate fine. After a random amount of time with no apparent user action the some of the VPN tunnels will become “prospective
> erouted”

you didnt provide any logs, so we have no idea of what is actually
happening. Are they hanging up? Are you hanging up? Are they trying
to rekey to you? The only thing we know is that this is ikev1, so
it does not relate to rekeying without authentication.

>         keylife=        60m
>         ikelifetime=    480m

You could try and change these timings. An 1h IPsec SA lifetime is
pretty short - usually these are kept at 8h or 24h. It does not
matter too much other than that you can tweak these to determine
who gets to initiate the rekeying (whoever has the shortest keylife)

But check your logs to see what is going on when the failure is
happening.

Paul


More information about the Swan mailing list