[Swan] SA lifetime too short, less than configured
Paul Wouters
paul at nohats.ca
Fri May 14 11:51:28 UTC 2021
If you have those empty lines in your config, perhaps that is causing the lines to be ignored ?
Otherwise, show us the logs from the rekey event? It should tell us why.
Sent from my iPhone
> On May 14, 2021, at 03:46, Ivan Kuznetsov <kia at solvo.ru> wrote:
>
> Hello
>
> We use libreswan 3.32 under Linux and have a IPsec peer recently upgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fine except the libreswan side restarts ISAKMP too often, mostly after 1h. ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8h for phase 2 on both sides. rekeymargin has default value (300s)
>
> Why libreswan drops ISAKMP SA regardless of explicit settings?
>
> Libreswan configuration:
>
> conn bkp
> type=tunnel
> auto=start
> authby=secret
> left=11.22.33.44
> leftsubnet=172.16.80.0/20
> right=55.66.77.88
> rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29
>
> ikev2=yes
> ikelifetime=24h
> initial-contact=yes
>
> phase2=esp
> salifetime=8h
> # BKP's Cisco ASA has stranges regarding DH groups on phase2
> pfs=no
>
> rekey=yes
> rekeymargin=5m
> keyingtries=3
>
> fragmentation=yes
> # BKP's Cisco ASA has nonstadard DPD
> # dpddelay=30
> # dpdtimeout=120
> # dpdaction=restart
>
>
> Libreswan log is attached
>
> --
> Regards, Ivan Kuznetsov
> SOLVO ltd
> <bkp.log>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list