[Swan] Stronswan / Libreswan - Tunnel disconnects and becomes prospective erouted

Madden, Joe Joe.Madden at mottmac.com
Wed Sep 21 07:54:23 UTC 2016

Hi Paul,

Thanks for the reply.

I'll change the key values to the longer ones and monitor to see what happened. I also noticed that I had duplicate subnets in there 

I'll let you know how I get on.



-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: 20 September 2016 17:18
To: Madden, Joe
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Stronswan / Libreswan - Tunnel disconnects and becomes prospective erouted

On Tue, 20 Sep 2016, Madden, Joe wrote:

> Just trying to resolve an issue we have with VPN’s disconnecting from a Stronswan client.
> When I restart my end of the VPN the VPNs establish and operate fine. 
> After a random amount of time with no apparent user action the some of the VPN tunnels will become “prospective erouted”

you didnt provide any logs, so we have no idea of what is actually happening. Are they hanging up? Are you hanging up? Are they trying to rekey to you? The only thing we know is that this is ikev1, so it does not relate to rekeying without authentication.

>         keylife=        60m
>         ikelifetime=    480m

You could try and change these timings. An 1h IPsec SA lifetime is pretty short - usually these are kept at 8h or 24h. It does not matter too much other than that you can tweak these to determine who gets to initiate the rekeying (whoever has the shortest keylife)

But check your logs to see what is going on when the failure is happening.


More information about the Swan mailing list