[Swan] SA lifetime too short, less than configured

Ivan Kuznetsov kia at solvo.ru
Fri May 14 07:37:19 UTC 2021


Hello

We use libreswan 3.32 under Linux and have a IPsec peer recently 
upgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fine 
except the libreswan side restarts ISAKMP too often, mostly after 1h. 
ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8h 
for phase 2 on both sides. rekeymargin has default value (300s)

Why libreswan drops ISAKMP SA regardless of explicit settings?

Libreswan configuration:

conn bkp
         type=tunnel
         auto=start
         authby=secret
         left=11.22.33.44
         leftsubnet=172.16.80.0/20
         right=55.66.77.88
 
rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29

         ikev2=yes
         ikelifetime=24h
         initial-contact=yes

         phase2=esp
         salifetime=8h
#        BKP's Cisco ASA has stranges regarding DH groups on phase2
         pfs=no

         rekey=yes
         rekeymargin=5m
         keyingtries=3

         fragmentation=yes
#        BKP's Cisco ASA has nonstadard DPD
#        dpddelay=30
#        dpdtimeout=120
#        dpdaction=restart


Libreswan log is attached

--
Regards, Ivan Kuznetsov
SOLVO ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bkp.log
Type: text/x-log
Size: 19504 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210514/9e00f8d3/attachment-0001.bin>


More information about the Swan mailing list