[Swan] SA lifetime duration
Kostya Vasilyev
kman at fastmail.com
Mon Feb 11 19:33:35 UTC 2019
On Mon, Feb 11, 2019, at 10:08 PM, Paul Wouters wrote:
> On Mon, 11 Feb 2019, Kostya Vasilyev wrote:
>
> > I don't have salifetime in my libreswan config.
>
> Odd, then things are triggered by the remote. Maybe it fails partially
> and we then try ourselves?
Well in this exact case - a single SA part has been up for a day or two.
> > Yep seen this - usually after 5 minutes it seems.
>
> That's odd. Maybe there is a continuous failure happening while there
> are existing SA's, and these failures take a while to resolve, then
> replace the existing one but cause another round of failures that take
> 5 minutes to resolve? We'd have to see more logs for that to confirm.
Not sure, but think I've seen some sort of message about "removing" (peer? connection?) in libreswan logs almost exactly 5 minutes after creating a new SA pair - and I've seen multiple times, thought 5 minutes was the usual default.
Can't find it in the logs now...
> > What's the setting then (can't find it in the docs) to set libreswan to not initiate but have the peer config be ready to go - when the other side initiates?
>
> auto=add
OK, this is working for me now.
I'll run with Mikrotik-only initiation for a while and see if SA reneweal becomes more... predictable?
But overall things are working quite well, it was just my curiosity.
Thanks again!
-- K
More information about the Swan
mailing list