[Swan] Libreswan state machine. What to do after STATE_QUICK_R2?

Paul Wouters paul at nohats.ca
Mon Apr 12 15:42:43 UTC 2021

On Mon, 12 Apr 2021, Ryszard Styczynski wrote:

> Subject: Re: [Swan] Libreswan state machine. What to do after STATE_QUICK_R2?
> Paul,
> thanks for sharing the state machine. Now I understnad what is going on. I see in logs following sequence:
> 00:12:59 no rekeying on traffic selector override connection

This log line does not match any libreswan (or openswan) code. It is
customized. Is this the Oracle OCI side or the Azure side?

> 00:17:29 deleting state (STATE_QUICK_R2) aged 3600.122s and sending notification

This message confirms it is libreswan.

> The VPN is established between Oracle OCI and Azure. I'm not sure which technology is ued by Oracle OCI, but it
> look like Libreswan. I received information from partner operating Azure that they have bug in SA lifetime
> configuration for IKEv1; provided setting is ignored and they always use value of 27000 s. It's not compatible
> with OCI side configuration of 3600 s.

lifetime is not negotiated. Whichever side has the shortest lifetime
starts the rekey process, provided they are not configured with

> OCI side expects to renegotiate phase 2 after 1h, waits 15 seconds for this
> to happen (17:29 - 17:44) and gives up.

That sounds like rekey=no with salifetime=3600 or maybe rekey=yes with
keyingtries=1 or something silly like that?

> Whole connection is destroyed and recreated. It's noticed by Azure.
> Finally as Azure as the Initiator (OCI is the responder what is even visible in states *_R*) tries to recreate the
> VPN. It's done with success after 5 minutes.
> Mystery solved. 15 seconds timeout may be custom tuning at OCI implementation.

You cannot change the azure side either ?


More information about the Swan mailing list