[Swan] SA lifetime duration
Paul Wouters
paul at nohats.ca
Mon Feb 11 19:08:37 UTC 2019
On Mon, 11 Feb 2019, Kostya Vasilyev wrote:
> I don't have salifetime in my libreswan config.
Odd, then things are triggered by the remote. Maybe it fails partially
and we then try ourselves?
> Yep seen this - usually after 5 minutes it seems.
That's odd. Maybe there is a continuous failure happening while there
are existing SA's, and these failures take a while to resolve, then
replace the existing one but cause another round of failures that take
5 minutes to resolve? We'd have to see more logs for that to confirm.
> I just tried to change libreswan to auto=ignore so that conns are only initiated by the client.
auto=ignore means "do not load the connection at all". You want
"auto=add" for "load the connection and let them initiate to us"
> Now when libreswan initiated (and it connected just fine) the "capabilities" (???) were somewhat different:
>
> Feb 11 21:11:44 kman.mobi pluto[14199]: "mytunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:7f30139f proposal=AES_CBC_128-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
Both ends can suggest what they want. Both parties find the mutual set
of parameters acceptable to both.
> Does "auto=ignore" completely ignore a peer's config section?
Yes. It's like you have no configuration :)
> I also tried "auto=add", same thing or almost.
That should work.
> What's the setting then (can't find it in the docs) to set libreswan to not initiate but have the peer config be ready to go - when the other side initiates?
auto=add
Paul
More information about the Swan
mailing list