<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Unfortunately, `rekey=no` did not change the behaviour.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">```</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><div id="bloop_customfont" style="margin:0px">000 "bhs": 184.X.X.X/32===172.A.A.A[184.X.X.X]---172.A.A.1...64.Y.Y.Y<64.Y.Y.Y>===128.B.B.B/32; prospective erouted; eroute owner: #0</div><div id="bloop_customfont" style="margin:0px">000 "bhs":     oriented; my_ip=184.X.X.X; their_ip=unset</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   our auth:secret, their auth:secret</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   labeled_ipsec:no;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   policy_label:unset;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   conn_prio: 32,32; interface: ens3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   dpd: action:hold; delay:40; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   newest ISAKMP SA: #300; newest IPsec SA: #0;</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP2048(14), AES_CBC(7)_256-SHA1(2)-MODP1536(5)</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)-MODP2048(14), AES_CBC(7)_256-SHA1(2)-MODP1536(5)</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   IKE algorithm newest: AES_CBC_256-SHA1-MODP1536</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   ESP algorithms wanted: AES(12)_256-SHA1(2)</div><div id="bloop_customfont" style="margin:0px">000 "bhs":   ESP algorithms loaded: AES(12)_256-SHA1(2)</div><div id="bloop_customfont" style="margin:0px">000 #301: "bhs":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 0s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div><div id="bloop_customfont" style="margin:0px">000 #300: "bhs":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 2529s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">```</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">I just restarted ipsec, notice it got to #301 and it keeps going...</div> <br> <div id="bloop_sign_1497962709120815104" class="bloop_sign"></div> <br><p class="airmail_on">On 19 June 2017 at 20:17:02, Tuomo Soini (<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>On Mon, 19 Jun 2017 11:07:34 -0400 (EDT)
<br>Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:
<br>
<br>> On Mon, 19 Jun 2017, Bob Cribbs wrote:
<br>>  
<br>> > I've tried the changes you suggested, but the result is still the
<br>> > same. In the conn config, I've added retransmit-timeout and
<br>> > retransmit-interval.
<br>>  
<br>> Do you receive a DELETE for your IKE SA?
<br>
<br>Yes, he does. And in this case I think rekey=no is only solution.
<br>
<br>We removed delay for new initiation. That causes new issue.
<br>
<br>
<br>--  
<br>Tuomo Soini <<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>>
<br>Foobar Linux services
<br>+358 40 5240030
<br>Foobar Oy <<a href="http://foobar.fi/">http://foobar.fi/</a>>
<br></div></div></span></blockquote></body></html>