Re: [Swan] SA lifetime too short, less than configured

2021-05-20 Thread Ivan Kuznetsov
Gzipped log for time 00:42:14 is attached As I understand, other side (Cisco ASA) sends ISAKMP_v2_INFORMATIONAL message contains ISAKMP_NEXT_v2D payload asks to delete the #103354 SA 20.05.2021 19:33, Ivan Kuznetsov пишет: Hello Paul 17.05.2021 18:01, Paul Wouters пишет: On Mon, 17 May

Re: [Swan] SA lifetime too short, less than configured

2021-05-20 Thread Ivan Kuznetsov
Hello Paul 17.05.2021 18:01, Paul Wouters пишет: On Mon, 17 May 2021, Ivan Kuznetsov wrote: Yes, all the bkp* has the same life times: [root@vpn3 ipsec.d]# ipsec auto --status | grep bkp | grep ike_life 000 "bkp/0x1":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 32; rekey_margin:

Re: [Swan] SA lifetime too short, less than configured

2021-05-17 Thread Paul Wouters
On Mon, 17 May 2021, Ivan Kuznetsov wrote: Yes, all the bkp* has the same life times: [root@vpn3 ipsec.d]# ipsec auto --status | grep bkp | grep ike_life 000 "bkp/0x1": ike_life: 86400s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 3; 000

Re: [Swan] SA lifetime too short, less than configured

2021-05-17 Thread Ivan Kuznetsov
14.05.2021 16:08, Paul Wouters пишет: On Fri, 14 May 2021, Ivan Kuznetsov wrote: No, config lines are not ignored. Here is status output, it shows 'ike_life: 86400s' and 'ipsec_life: 28800s' implemented [root@vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2 000 "bkp/0x2": 000 "bkp/0x2": 

Re: [Swan] SA lifetime too short, less than configured

2021-05-14 Thread Paul Wouters
On Fri, 14 May 2021, Ivan Kuznetsov wrote: No, config lines are not ignored. Here is status output, it shows 'ike_life: 86400s' and 'ipsec_life: 28800s' implemented [root@vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2 000 "bkp/0x2": 000 "bkp/0x2": ike_life: 86400s; ipsec_life: 28800s;

Re: [Swan] SA lifetime too short, less than configured

2021-05-14 Thread Ivan Kuznetsov
Hi Paul No, config lines are not ignored. Here is status output, it shows 'ike_life: 86400s' and 'ipsec_life: 28800s' implemented [root@vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2 000 "bkp/0x2": 172.16.80.0/20===11.22.33.44<11.22.33.44>...55.66.77.88<55.66.77.88>===10.1.102.0/24;

Re: [Swan] SA lifetime too short, less than configured

2021-05-14 Thread Paul Wouters
If you have those empty lines in your config, perhaps that is causing the lines to be ignored ? Otherwise, show us the logs from the rekey event? It should tell us why. Sent from my iPhone > On May 14, 2021, at 03:46, Ivan Kuznetsov wrote: > > Hello > > We use libreswan 3.32 under Linux

[Swan] SA lifetime too short, less than configured

2021-05-14 Thread Ivan Kuznetsov
Hello We use libreswan 3.32 under Linux and have a IPsec peer recently upgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fine except the libreswan side restarts ISAKMP too often, mostly after 1h. ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8h for phase