Status shows the following: ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
However, the tunnel fails well before any of the limits are reached - sometimes within 5 minutes of being restarted. I still keep seeing the timeouts: STATE_PARENT_R1 (received v2I1, sent v2R1); EVENT_v2_RESPONDER_TIMEOUT in 195s; idle; import:respond to stranger I'm wondering if something on the far side is blocking the replies. Thanks for the help! On Fri, Oct 21, 2016 at 1:10 PM, Paul Wouters <[email protected]> wrote: > On Fri, 21 Oct 2016, Banana Man wrote: > > I didn't want to confuse things, but I'm actually using a NAT with this >> tunnel (as well as >> several others on this machine). So left= is a different value (my >> machine's real IP) than >> leftsubnet= and leftsourceip=, which are the NAT address. So I think I >> need to set both of >> those. I have always used 255.255.255.255 in the subnet settings to >> restrict to the single >> IP, is this not advisable? I only want access to the machine I'm starting >> the tunnel on, >> not the whole subnet. >> > > Ok, if leftsubnet is an IP different from left that is fine. That did > not show in your posted config. If you are behind NAT, ensure you have > the shorter ikelifetime= so you are always the end rekeying first. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
