Unfortunately, `rekey=no` did not change the behaviour. ``` 000 "bhs": 184.X.X.X/32===172.A.A.A[184.X.X.X]---172.A.A.1...64.Y.Y.Y<64.Y.Y.Y>===128.B.B.B/32; prospective erouted; eroute owner: #0 000 "bhs": oriented; my_ip=184.X.X.X; their_ip=unset 000 "bhs": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "bhs": our auth:secret, their auth:secret 000 "bhs": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "bhs": labeled_ipsec:no; 000 "bhs": policy_label:unset; 000 "bhs": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "bhs": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "bhs": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "bhs": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "bhs": conn_prio: 32,32; interface: ens3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "bhs": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; 000 "bhs": dpd: action:hold; delay:40; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "bhs": newest ISAKMP SA: #300; newest IPsec SA: #0; 000 "bhs": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP2048(14), AES_CBC(7)_256-SHA1(2)-MODP1536(5) 000 "bhs": IKE algorithms found: AES_CBC(7)_256-SHA1(2)-MODP2048(14), AES_CBC(7)_256-SHA1(2)-MODP1536(5) 000 "bhs": IKE algorithm newest: AES_CBC_256-SHA1-MODP1536 000 "bhs": ESP algorithms wanted: AES(12)_256-SHA1(2) 000 "bhs": ESP algorithms loaded: AES(12)_256-SHA1(2) 000 #301: "bhs":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 0s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #300: "bhs":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 2529s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate ```
I just restarted ipsec, notice it got to #301 and it keeps going... On 19 June 2017 at 20:17:02, Tuomo Soini (t...@foobar.fi) wrote: On Mon, 19 Jun 2017 11:07:34 -0400 (EDT) Paul Wouters <p...@nohats.ca> wrote: > On Mon, 19 Jun 2017, Bob Cribbs wrote: > > > I've tried the changes you suggested, but the result is still the > > same. In the conn config, I've added retransmit-timeout and > > retransmit-interval. > > Do you receive a DELETE for your IKE SA? Yes, he does. And in this case I think rekey=no is only solution. We removed delay for new initiation. That causes new issue. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/>
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan