[Swan] SA lifetime duration

Kostya Vasilyev kman at fastmail.com
Mon Feb 11 17:40:54 UTC 2019


I've got a strange, well, not sure if it's a problem, more of a question.

My setup is Mikrtoik router client <-> libreswan server on Debian, IKEv1 with certificate auth.

Usually, watching SAs in Mikrtoik web UI and "ipsec status", there is a tendency to have 4 or even 6 SA's and for them to rotate / expire a few times a day.

Now since maybe two days, I only got one pair of SAs - and it continues to accumulate more and more traffic stats in Mikrotik UI - that's how I know it's the same pair.

On the server side I get messages like these from time to time:

Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: responding to Main Mode
Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: Peer ID is ID_DER_ASN1_DN: 'C=RU, L=Moscow, O=NewTunnel, OU=ac2'
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: certificate verified OK: OU=ac2,O=NewTunnel,L=Moscow,C=RU
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: Authenticated using RSA
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: I am sending my cert
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP2048}
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Feb 11 20:22:21 pluto[4767]: "mytunnel" #299: deleting state (STATE_MAIN_I4) and sending notification

000 Total IPsec connections: loaded 1, active 1
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000 #290: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 841s; newest IPSEC; eroute owner; isakmp#289; idle;
000 #290: "mytunnel" esp.a76f21d at esp.366391ef at ref=0 refhim=0 Traffic: ESPin=544KB ESPout=23MB! ESPmax=4194303B 
000 #300: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 1661s; newest ISAKMP; lastdpd=17s(seq in:25740 out:0); idle;

Now my question:

Is this, like, normal? For a single pair of SA's to be used over such long time (days) and not be rotated?

I thought (mistakenly) that SA's get replaced and part of rekeying process?

Does this  perhaps just mean that my Internet connection is more stable than before?

Kostya Vasilyev
kman at fastmail.com

More information about the Swan mailing list