[Swan] SA lifetime too short, less than configured
Ivan Kuznetsov
kia at solvo.ru
Fri May 14 07:37:19 UTC 2021
Hello
We use libreswan 3.32 under Linux and have a IPsec peer recently
upgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fine
except the libreswan side restarts ISAKMP too often, mostly after 1h.
ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8h
for phase 2 on both sides. rekeymargin has default value (300s)
Why libreswan drops ISAKMP SA regardless of explicit settings?
Libreswan configuration:
conn bkp
type=tunnel
auto=start
authby=secret
left=11.22.33.44
leftsubnet=172.16.80.0/20
right=55.66.77.88
rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29
ikev2=yes
ikelifetime=24h
initial-contact=yes
phase2=esp
salifetime=8h
# BKP's Cisco ASA has stranges regarding DH groups on phase2
pfs=no
rekey=yes
rekeymargin=5m
keyingtries=3
fragmentation=yes
# BKP's Cisco ASA has nonstadard DPD
# dpddelay=30
# dpdtimeout=120
# dpdaction=restart
Libreswan log is attached
--
Regards, Ivan Kuznetsov
SOLVO ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bkp.log
Type: text/x-log
Size: 19504 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210514/9e00f8d3/attachment-0001.bin>
More information about the Swan
mailing list