[Swan] Tunnel Going Down

Banana Man bananasgorilla16 at gmail.com
Fri Oct 21 18:36:18 UTC 2016

Status shows the following:
ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0;

However, the tunnel fails well before any of the limits are reached -
sometimes within 5 minutes of being restarted. I still keep seeing the
STATE_PARENT_R1 (received v2I1, sent v2R1); EVENT_v2_RESPONDER_TIMEOUT in
195s; idle; import:respond to stranger

I'm wondering if something on the far side is blocking the replies.

Thanks for the help!

On Fri, Oct 21, 2016 at 1:10 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 21 Oct 2016, Banana Man wrote:
> I didn't want to confuse things, but I'm actually using a NAT with this
>> tunnel (as well as
>> several others on this machine). So left= is a different value (my
>> machine's real IP) than
>> leftsubnet= and leftsourceip=, which are the NAT address. So I think I
>> need to set both of
>> those. I have always used in the subnet settings to
>> restrict to the single
>> IP, is this not advisable? I only want access to the machine I'm starting
>> the tunnel on,
>> not the whole subnet.
> Ok, if leftsubnet is an IP different from left that is fine. That did
> not show in your posted config. If you are behind NAT, ensure you have
> the shorter ikelifetime= so you are always the end rekeying first.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161021/29052fb6/attachment.html>

More information about the Swan mailing list