[Swan] Windows 10 client to libreswan VPN server: The Child SA expires often
Paul Wouters
paul at nohats.ca
Sun Jan 9 23:51:13 EET 2022
On Fri, 7 Jan 2022, Mirsad Goran Todorovac wrote:
> 000 #5: "MYCONN-ikev2-cp"[3] 94.253.211.1:4500 STATE_V2_ESTABLISHED_IKE_SA
> (established IKE SA); EXPIRE in 25923s; newest ISAKMP; idle;
> 000 #9: "MYCONN-ikev2-cp"[3] 94.253.211.1:4500 STATE_V2_ESTABLISHED_CHILD_SA
> (established Child SA); EXPIRE in 28737s; newest IPSEC; eroute owner;
> isakmp#5; idle;
> 000 #9: "MYCONN-ikev2-cp"[3] 94.253.211.1 esp.c8c6721e at 94.253.211.1
> esp.193db088 at 161.53.83.3 tun.0 at 94.253.211.1 tun.0 at 161.53.83.3 Traffic:
> ESPin=396KB ESPout=23MB ESPmax=0B
>
> What is the problem?
>
> The Child SA is renegotiated every about 5 minutes despite saying EXPIRE in
> 28800 s.
Is it expiring, or is the client rekeying it ? The logs should show you
which end is triggering this. If it is libreswan, there should be a
reason in the logs. If it is microsoft, then we can't help it. Microsoft
is known to aggressively clean up "idle" connections.
If you run "ipsec status" when the connection is up, it will show you
the timers for rekey/expire of the states (ipsec status |grep STATE_)
Paul
More information about the Swan
mailing list