[Swan] SA lifetime duration

Mon, 11 Feb 2019 09:47:31 -0800 

Hello,

I've got a strange, well, not sure if it's a problem, more of a question.

My setup is Mikrtoik router client <-> libreswan server on Debian, IKEv1 with 
certificate auth.

Usually, watching SAs in Mikrtoik web UI and "ipsec status", there is a 
tendency to have 4 or even 6 SA's and for them to rotate / expire a few times a 
day.

Now since maybe two days, I only got one pair of SAs - and it continues to 
accumulate more and more traffic stats in Mikrotik UI - that's how I know it's 
the same pair.

On the server side I get messages like these from time to time:

Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: responding to Main Mode
Feb 11 20:10:29 pluto[4767]: "mytunnel" #300: STATE_MAIN_R1: sent MR1, 
expecting MI2
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: sent MR2, 
expecting MI3
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: STATE_MAIN_R2: retransmission; 
will wait 0.5 seconds for response
Feb 11 20:10:30 pluto[4767]: "mytunnel" #300: Peer ID is ID_DER_ASN1_DN: 'C=RU, 
L=Moscow, O=NewTunnel, OU=ac2'
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: certificate verified OK: 
OU=ac2,O=NewTunnel,L=Moscow,C=RU
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: Authenticated using RSA
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: I am sending my cert
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: STATE_MAIN_R3: sent MR3, ISAKMP 
SA established {auth=RSA_SIG cipher=AES_CBC_128 integ=HMAC_SHA2_256 
group=MODP2048}
Feb 11 20:10:31 pluto[4767]: "mytunnel" #300: retransmitting in response to 
duplicate packet; already STATE_MAIN_R3
Feb 11 20:22:21 pluto[4767]: "mytunnel" #299: deleting state (STATE_MAIN_I4) 
and sending notification


000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #290: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 841s; newest IPSEC; eroute owner; isakmp#289; idle;
000 #290: "mytunnel" esp.a76f21d@89.0.0.1 esp.366391ef@139.0.0.1 ref=0 refhim=0 
Traffic: ESPin=544KB ESPout=23MB! ESPmax=4194303B 
000 #300: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); 
EVENT_SA_REPLACE in 1661s; newest ISAKMP; lastdpd=17s(seq in:25740 out:0); idle;

Now my question:

Is this, like, normal? For a single pair of SA's to be used over such long time 
(days) and not be rotated?

I thought (mistakenly) that SA's get replaced and part of rekeying process?

Does this  perhaps just mean that my Internet connection is more stable than 
before?

-- 
Kostya Vasilyev
k...@fastmail.com
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to