Set rekey=yes ? Don't set lefsubnet if and as lefg Don't set leftsoureip without a real leftsubnet
Sent from my iPhone > On Oct 20, 2016, at 16:26, Banana Man <[email protected]> wrote: > > Hi: > I have a number of tunnels running well on a CentOS 7 machine with libreswan > 3.15-5.el7_1. I added a new tunnel which I am having some issues with; the > only real difference is that the new one is using ikev2. The config is: > > conn demo > type=tunnel > authby=secret > > left=10.0.0.3 > leftsubnet=10.0.0.3/255.255.255.255 > leftnexthop=123.45.67.4 > leftsourceip=10.0.0.3 > > right=123.45.67.4 > rightsubnet=2123.45.67.198/255.255.255.255 > rightnexthop=10.0.0.3 > rightsourceip=123.45.67.198 > > ikev2=insist > ike=aes-sha1 > ikelifetime=86400s > phase2alg=aes-256 > salifetime=28800s > rekey=no > pfs=no > auto=start > > The other side is, I think, a Cisco ASA. The tunnel has failed sporadically > and I see the following output from ipsec status when this happens: > > 000 #18146: "demo":500 STATE_PARENT_R1 (received v2I1, sent v2R1); > EVENT_v2_RESPONDER_TIMEOUT in 77s; idle; import:respond to stranger > > I couldn't find a lot of information on this error. Can anyone point out > anything I can do here? Is there a way to automatically recover from an event > like this? It works fine (for a while) with a --replace & --up. > > Thanks, > Bananas > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
