[Swan] SA lifetime too short, less than configured
Paul Wouters
paul at nohats.ca
Fri May 14 13:08:02 UTC 2021
On Fri, 14 May 2021, Ivan Kuznetsov wrote:
> No, config lines are not ignored. Here is status output, it shows 'ike_life:
> 86400s' and 'ipsec_life: 28800s' implemented
>
> [root at vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2
> 000 "bkp/0x2":
> 000 "bkp/0x2": ike_life: 86400s; ipsec_life: 28800s; replay_window: 32;
> rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;
Can you show me: ipsec status |grep ike_life:
I'd like to see the other bkp/ connections to see if they are all
properly set to the same lifetimes (They should be because it is
instantiated from your subnetS= but lets check)
> May 14 09:09:45.873173: "bkp/0x2" #94268: STATE_V2_IPSEC_I: IPsec SA
> established tunnel mode {ESP=>0x2c052ce7 <0xa8985bfa
> xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
> May 14 10:17:15.373003: "bkp/0x2" #94268: deleting other state #94268
> (STATE_CHILDSA_DEL) aged 4049.567s and NOT sending notification
Just over one hour is really weird. Can you run with plutodebug=all,tmi
and show the log lines you see between these two messages?
Paul
More information about the Swan
mailing list