<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="NL-BE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="FR-BE">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR-BE"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We have a strange behaviour on one of our tunnels.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">On this tunnel, when the IPSEC SA is coming to expiration, it is replaced WITH the ISAKMP SA, but WITHOUT deleting this latter, which leads to an increasing number of “to be replaced” ISAKMP SA.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I made some searches on the internet but without results…<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The config:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": 0.0.0.0/0===XXXX<XXXXXXXX>...YYYYYYYY<YYYYYYYYY>===0.0.0.0/0; erouted; eroute owner: #595<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": oriented; my_ip=unset; their_ip=unset; myup=/etc/ipsec.d/conn_name-vpn.sh<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": labeled_ipsec:no;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": policy_label:unset;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": retransmit-interval: 500ms; retransmit-timeout: 60s;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": conn_prio: 0,0; interface: ens225; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: 10/0xffffffff;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR-BE">000 "conn_name/1x1": newest ISAKMP SA: #594; newest IPsec SA: #595;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": aliases: conn_name<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": IKEv2 algorithm newest: AES_CBC_128-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP2048<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP2048(14)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "conn_name/1x1": ESP algorithms loaded: AES(12)_128-SHA1(2)_000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># active SAs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #595: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1890s; newest IPSEC; eroute owner; isakmp#594; idle; import:respond to stranger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #595: "conn_name/1x1" esp.ca572b92@80.84.22.51 esp.f6b62d0@64.94.187.67 tun.0@80.84.22.51 tun.0@64.94.187.67 ref=0 refhim=4294901761 Traffic: ESPin=3MB ESPout=5MB! ESPmax=0B<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #594: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 27026s; newest ISAKMP; isakmp#0; idle; import:respond to stranger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #594: "conn_name/1x1" ref=0 refhim=0 Traffic:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># “dead” SAs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #392: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 798s; isakmp#0; idle; import:respond to stranger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #392: "bics/1x1" ref=0 refhim=0 Traffic:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #414: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 3672s; isakmp#0; idle; import:respond to stranger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #414: "bics/1x1" ref=0 refhim=0 Traffic:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #551: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 21212s; isakmp#0; idle; import:respond to stranger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #551: "bics/1x1" ref=0 refhim=0 Traffic:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Any ideas?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Marc<o:p></o:p></span></p>
</div>
</body>
</html>