[Swan] SA lifetime duration

Mon Feb 11 19:08:37 UTC 2019

On Mon, 11 Feb 2019, Kostya Vasilyev wrote:

> I don't have salifetime in my libreswan config.

Odd, then things are triggered by the remote. Maybe it fails partially
and we then try ourselves?

> Yep seen this - usually after 5 minutes it seems.

That's odd. Maybe there is a continuous failure happening while there
are existing SA's, and these failures take a while to resolve, then
replace the existing one but cause another round of failures that take
5 minutes to resolve? We'd have to see more logs for that to confirm.

> I just tried to change libreswan to auto=ignore so that conns are only initiated by the client.

auto=ignore means "do not load the connection at all". You want
"auto=add" for "load the connection and let them initiate to us"

> Now when libreswan initiated (and it connected just fine) the "capabilities" (???) were somewhat different:
>
> Feb 11 21:11:44 kman.mobi pluto[14199]: "mytunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:7f30139f proposal=AES_CBC_128-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}

Both ends can suggest what they want. Both parties find the mutual set
of parameters acceptable to both.

> Does "auto=ignore" completely ignore a peer's config section?

Yes. It's like you have no configuration :)

> I also tried "auto=add", same thing or almost.

That should work.

> What's the setting then (can't find it in the docs) to set libreswan to not initiate but have the peer config be ready to go - when the other side initiates?

auto=add

Paul