[Swan] SA lifetime too short, less than configured

Paul Wouters paul at nohats.ca
Fri May 14 13:08:02 UTC 2021

On Fri, 14 May 2021, Ivan Kuznetsov wrote:

> No, config lines are not ignored. Here is status output, it shows 'ike_life: 
> 86400s' and 'ipsec_life: 28800s' implemented
> [root at vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2
> 000 "bkp/0x2":

> 000 "bkp/0x2":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 32; 
> rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;

Can you show me: ipsec status |grep ike_life:

I'd like to see the other bkp/ connections to see if they are all
properly set to the same lifetimes (They should be because it is
instantiated from your subnetS= but lets check)

> May 14 09:09:45.873173: "bkp/0x2" #94268: STATE_V2_IPSEC_I: IPsec SA 
> established tunnel mode {ESP=>0x2c052ce7 <0xa8985bfa 
> xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
> May 14 10:17:15.373003: "bkp/0x2" #94268: deleting other state #94268 
> (STATE_CHILDSA_DEL) aged 4049.567s and NOT sending notification

Just over one hour is really weird. Can you run with plutodebug=all,tmi
and show the log lines you see between these two messages?


More information about the Swan mailing list