[Swan] Retransmit interval
Bob Cribbs
bob.cribbs at policystat.com
Tue Jun 20 12:55:41 UTC 2017
Unfortunately, `rekey=no` did not change the behaviour.
```
000 "bhs":
184.X.X.X/32===172.A.A.A[184.X.X.X]---172.A.A.1...64.Y.Y.Y<64.Y.Y.Y>===128.B.B.B/32;
prospective erouted; eroute owner: #0
000 "bhs": oriented; my_ip=184.X.X.X; their_ip=unset
000 "bhs": xauth us:none, xauth them:none, my_username=[any];
their_username=[any]
000 "bhs": our auth:secret, their auth:secret
000 "bhs": modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "bhs": labeled_ipsec:no;
000 "bhs": policy_label:unset;
000 "bhs": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "bhs": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "bhs": sha2-truncbug:no; initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bhs": policy:
PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "bhs": conn_prio: 32,32; interface: ens3; metric: 0; mtu: unset;
sa_prio:auto; sa_tfc:none;
000 "bhs": nflog-group: unset; mark: unset; vti-iface:unset;
vti-routing:no; vti-shared:no;
000 "bhs": dpd: action:hold; delay:40; timeout:120; nat-t: encaps:auto;
nat_keepalive:yes; ikev1_natt:both
000 "bhs": newest ISAKMP SA: #300; newest IPsec SA: #0;
000 "bhs": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP2048(14),
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "bhs": IKE algorithms found: AES_CBC(7)_256-SHA1(2)-MODP2048(14),
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "bhs": IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "bhs": ESP algorithms wanted: AES(12)_256-SHA1(2)
000 "bhs": ESP algorithms loaded: AES(12)_256-SHA1(2)
000 #301: "bhs":4500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_v1_RETRANSMIT in 0s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #300: "bhs":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 2529s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate
```
I just restarted ipsec, notice it got to #301 and it keeps going...
On 19 June 2017 at 20:17:02, Tuomo Soini (tis at foobar.fi) wrote:
On Mon, 19 Jun 2017 11:07:34 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 19 Jun 2017, Bob Cribbs wrote:
>
> > I've tried the changes you suggested, but the result is still the
> > same. In the conn config, I've added retransmit-timeout and
> > retransmit-interval.
>
> Do you receive a DELETE for your IKE SA?
Yes, he does. And in this case I think rekey=no is only solution.
We removed delay for new initiation. That causes new issue.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170620/9d19a924/attachment.html>
More information about the Swan
mailing list