[Swan] SA lifetime too short, less than configured

Ivan Kuznetsov kia at solvo.ru
Mon May 17 11:23:28 UTC 2021 


14.05.2021 16:08, Paul Wouters пишет:
> On Fri, 14 May 2021, Ivan Kuznetsov wrote:
> 
>> No, config lines are not ignored. Here is status output, it shows 
>> 'ike_life: 86400s' and 'ipsec_life: 28800s' implemented
>>
>> [root at vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2
>> 000 "bkp/0x2":
> 
>> 000 "bkp/0x2":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 
>> 32; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;
> 
> Can you show me: ipsec status |grep ike_life:
> 
> I'd like to see the other bkp/ connections to see if they are all
> properly set to the same lifetimes (They should be because it is
> instantiated from your subnetS= but lets check)

Yes, all the bkp* has the same life times:

[root at vpn3 ipsec.d]# ipsec auto --status | grep bkp | grep ike_life
000 "bkp/0x1":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 
32; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;
000 "bkp/0x2":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 
32; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;
000 "bkp/0x3":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 
32; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;
000 "bkp/0x4":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 
32; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3;

>> May 14 09:09:45.873173: "bkp/0x2" #94268: STATE_V2_IPSEC_I: IPsec SA 
>> established tunnel mode {ESP=>0x2c052ce7 <0xa8985bfa 
>> xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
>> May 14 10:17:15.373003: "bkp/0x2" #94268: deleting other state #94268 
>> (STATE_CHILDSA_DEL) aged 4049.567s and NOT sending notification
> 
> Just over one hour is really weird. Can you run with plutodebug=all,tmi
> and show the log lines you see between these two messages?

It can be a bit problematic as this ipsec instance handle 20+ active 
production connections with different peers/clients. It seems that 
'ipsec whack --name bkp/0xN --debug all,tmi' does not have any logging 
effect. I'm afraid enable debug logging globally will slow down the 
connections and make a huge log.


-- 
С уважением, Иван Кузнецов
Руководитель технического отдела

Группа компаний "СОЛВО"
+7(812)60-60-555
+7(495)66-83-003
+7(921)740-72-61
http://www.solvo.ru

СОЛВО - Эталон Автоматизации Логистики

More information about the Swan mailing list