[Swan] SA lifetime duration
Kostya Vasilyev
kman at fastmail.com
Mon Feb 11 17:40:54 UTC 2019
Hello,
I've got a strange, well, not sure if it's a problem, more of a question.
My setup is Mikrtoik router client <-> libreswan server on Debian, IKEv1 with certificate auth.
Usually, watching SAs in Mikrtoik web UI and "ipsec status", there is a tendency to have 4 or even 6 SA's and for them to rotate / expire a few times a day.
Now since maybe two days, I only got one pair of SAs - and it continues to accumulate more and more traffic stats in Mikrotik UI - that's how I know it's the same pair.
On the server side I get messages like these from time to time:
Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: responding to Main Mode
Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: Peer ID is ID_DER_ASN1_DN: 'C=RU, L=Moscow, O=NewTunnel, OU=ac2'
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: certificate verified OK: OU=ac2,O=NewTunnel,L=Moscow,C=RU
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: Authenticated using RSA
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: I am sending my cert
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP2048}
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Feb 11 20:22:21 pluto[4767]: "mytunnel" #299: deleting state (STATE_MAIN_I4) and sending notification
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #290: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 841s; newest IPSEC; eroute owner; isakmp#289; idle;
000 #290: "mytunnel" esp.a76f21d at 89.0.0.1 esp.366391ef at 139.0.0.1 ref=0 refhim=0 Traffic: ESPin=544KB ESPout=23MB! ESPmax=4194303B
000 #300: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 1661s; newest ISAKMP; lastdpd=17s(seq in:25740 out:0); idle;
Now my question:
Is this, like, normal? For a single pair of SA's to be used over such long time (days) and not be rotated?
I thought (mistakenly) that SA's get replaced and part of rekeying process?
Does this perhaps just mean that my Internet connection is more stable than before?
--
Kostya Vasilyev
kman at fastmail.com
More information about the Swan
mailing list