<div dir="ltr">I collected some more recent log, just emphasize a few here: <div><br></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">2018-10-10T20:30:55.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910: "vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[176] y.y.y.y #2254: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #2234 {using isakmp#2197 msgid:cda1e74c proposal=AES(12)_128-SHA1(2) pfsgroup=no-pfs}</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">2018-10-10T20:30:56.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910: "vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[176] y.y.y.y #2254: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">2018-10-10T20:30:56.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910: "vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[176] y.y.y.y #2254: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xb1fc346e <0xde8594db xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px">>>> 1) previous P2 lifetime(1hr) expired, a new ESP SA(0xb1fc346e) was negotiated. </p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">2018-10-10T21:16:00.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910: "vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[178] y.y.y.y #2266: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px">>>> 2) p1 lifetime expired, a new ISAKMP SA was estabilished. </p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">2018-10-10T21:16:00.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910: "vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0" #2254: deleting state (STATE_QUICK_I2)</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px">>>> 3) Even though ESP SA is not expired yet, it seems p1 expiration triggers the system to delete old ESP SA. No new ESP SA is negotiated at this time because this end uses VNET, connection can only be initialized by the other end(a Checkpoint device). Somehow, the other end did not initialize new conn immediately. Looks like the other end still think the old ESP SA is good and it sends traffic with old ESP. Of course, connection is down now because of unknown SA.</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69);min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">2018-10-10T21:16:02.000Z tuk1r1:10.9.x.x pluto warn - - - vpn-1200910: "vnet_conn_vpn-1200910-tunnel-VPNRemoteRoutedSubnet-tunnel-0.0.0.0/0"[178] y.y.y.y #2266: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xb1fc346e) not found (maybe expired)</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">>>> 4) After some time, the other end realized (or p2 expired) the SA was not usable and it asked our end to delete the ESP SA. Of course, our end cannot find it.</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">So, my question is: during step 3) above, what should be the correct behavior based on standards, delete old ESP SA or keep old ESP SA available for sometime? Shouldn't there be some overlap between two ESP SAs? I know if there is no p1 renegotiation involves, there will be overlap between old and new ESP SA. </p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Thanks,</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)">Xinwei</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";color:rgb(69,69,69)"><br></p><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Oct 5, 2018 at 12:27 PM Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, 27 Sep 2018, Xinwei Hong wrote:<br>
<br>
> I have a VPN which would fail every 8 hours or so, at the time of phase 1 IKE expiration. Here is the config file:<br>
> config setup<br>
<br>
I don't see any errors in the logs. But 8h sounds like a lifetime /<br>
rekey issue. Maybe try default ikelifetime and salifetime values?<br>
Or set the ikelifetime= shorter than the salifetime ?<br>
<br>
Paul<br>
</blockquote></div>