On Wed, May 20, 2015 at 05:20:04PM +0200, [email protected] wrote: > > So from my head, probably completely wrong type of before coffee > > calculation, that could be lifetime in seconds (00 00 00 01) for > > 1c00 seconds, aka 7168 seconds, prob 7200 (2h) when it started? > > Well the message comes in during the initial Phase 1 - so it might be that > Cisco defaults to something like 7168 seconds? > Peer admin configured 28800s on the GUI, but I couldn't find out what > phase. > > well... what phase is IPSEC_RESPONDER_LIFETIME related to? ikelifetime or > salifetime? > > I experimented and reduced both to 1800s. That at least takes the pressure > from me babysitting the connection - but still the peer seems to throw the > phase 1 away and Libreswan doesn't seem to notice, resulting in a broken > tunnel... > > 000 State list: > 000 > 000 #54: "remote":4500 STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_EXPIRE in 144s; lastdpd=938s(seq in:0 out:0); idle; import:local > rekey > 000 #63: "remote":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); > EVENT_v1_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:local > rekey > 000 #61: "remote":4500 STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_REPLACE in 57s; newest ISAKMP; lastdpd=300s(seq in:0 out:0); > idle; import:local rekey > > with a dpdtimeout of 120 - shouldn't Libreswan have thrown away those (#54 > and #61)? Or does DPD only work on Phase 2? > > > > ps. pet peeve: It is "Libreswan" or "libreswan", not "LibreSWAN" - > > SWAN is a trademark of RSA Inc. > > I'll try to remember that :)
http://www.freeswan.org/credits.html says it is S/WAN not SWAN that is trademark by RSA. -- Len Sorensen _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
