[Swan] Windows 10 client to libreswan VPN server: The Child SA expires often

Paul Wouters paul at nohats.ca
Sun Jan 9 23:51:13 EET 2022

On Fri, 7 Jan 2022, Mirsad Goran Todorovac wrote:

> 000 #5: "MYCONN-ikev2-cp"[3] STATE_V2_ESTABLISHED_IKE_SA 
> (established IKE SA); EXPIRE in 25923s; newest ISAKMP; idle;
> 000 #9: "MYCONN-ikev2-cp"[3] STATE_V2_ESTABLISHED_CHILD_SA 
> (established Child SA); EXPIRE in 28737s; newest IPSEC; eroute owner; 
> isakmp#5; idle;
> 000 #9: "MYCONN-ikev2-cp"[3] esp.c8c6721e at 
> esp.193db088 at tun.0 at tun.0 at Traffic: 
> ESPin=396KB ESPout=23MB ESPmax=0B
> What is the problem?
> The Child SA is renegotiated every about 5 minutes despite saying EXPIRE in 
> 28800 s.

Is it expiring, or is the client rekeying it ? The logs should show you
which end is triggering this. If it is libreswan, there should be a
reason in the logs. If it is microsoft, then we can't help it. Microsoft
is known to aggressively clean up "idle" connections.

If you run "ipsec status" when the connection is up, it will show you
the timers for rekey/expire of the states (ipsec status |grep STATE_)


More information about the Swan mailing list