<tt><font size=2><br>
> So from my head, probably completely wrong type of before coffee<br>
> calculation, that could be lifetime in seconds (00 00 00 01) for<br>
> 1c00 seconds, aka 7168 seconds, prob 7200 (2h) when it started?</font></tt>
<br>
<br><tt><font size=2>Well the message comes in during the initial Phase
1 - so it might be that Cisco defaults to something like 7168 seconds?</font></tt>
<br><tt><font size=2>Peer admin configured 28800s on the GUI, but I couldn't
find out what phase.</font></tt>
<br>
<br><tt><font size=2>well... what phase is IPSEC_RESPONDER_LIFETIME related
to? ikelifetime or salifetime?</font></tt>
<br>
<br><tt><font size=2>I experimented and reduced both to 1800s. That at
least takes the pressure from me babysitting the connection - but still
the peer seems to throw the phase 1 away and Libreswan doesn't seem to
notice, resulting in a broken tunnel...</font></tt>
<br>
<br><tt><font size=2>000 State list:</font></tt>
<br><tt><font size=2>000 </font></tt>
<br><tt><font size=2>000 #54: "remote":4500 STATE_MAIN_I4 (ISAKMP
SA established); EVENT_SA_EXPIRE in 144s; lastdpd=938s(seq in:0 out:0);
idle; import:local rekey</font></tt>
<br><tt><font size=2>000 #63: "remote":4500 STATE_QUICK_I1 (sent
QI1, expecting QR1); EVENT_v1_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0);
idle; import:local rekey</font></tt>
<br><tt><font size=2>000 #61: "remote":4500 STATE_MAIN_I4 (ISAKMP
SA established); EVENT_SA_REPLACE in 57s; newest ISAKMP; lastdpd=300s(seq
in:0 out:0); idle; import:local rekey</font></tt>
<br>
<br><tt><font size=2>with a dpdtimeout of 120 - shouldn't Libreswan have
thrown away those (#54 and #61)? Or does DPD only work on Phase 2?</font></tt>
<br><tt><font size=2><br>
<br>
> ps. pet peeve: It is "Libreswan" or "libreswan",
not "LibreSWAN" - <br>
> SWAN is a trademark of RSA Inc.<br>
</font></tt>
<br><tt><font size=2>I'll try to remember that :) </font></tt>
<br>
<br><tt><font size=2>Best Regards</font></tt>
<br><tt><font size=2> Heiko Helmle</font></tt>