[Swan] SA lifetime too short, less than configured
kia at solvo.ru
Fri May 14 07:37:19 UTC 2021
We use libreswan 3.32 under Linux and have a IPsec peer recently
upgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fine
except the libreswan side restarts ISAKMP too often, mostly after 1h.
ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8h
for phase 2 on both sides. rekeymargin has default value (300s)
Why libreswan drops ISAKMP SA regardless of explicit settings?
# BKP's Cisco ASA has stranges regarding DH groups on phase2
# BKP's Cisco ASA has nonstadard DPD
Libreswan log is attached
Regards, Ivan Kuznetsov
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 19504 bytes
Desc: not available
More information about the Swan