Thank you for your response I have read that document and have more or less based my config on it. I have a couple of questions though:
rekey is not mentioned in the X.509 example but is disabled in the EAP-MSCHAP example. I have now reactivated rekey in my configuration to test. I have set reauth to no because it made my strongswan to strongswan tunnel drop the connection for a short moment. It is not mentioned in the Windows 7 configuration. Will having it enabled (like in the config examples) cause drop outs during IKE SA renegotiations like I get using only strongswan? I now have rekey = on and reauth = on (default) to be as identical to the example configuration as possible. I will try using ! if it doesn't work, but in my case it will cause issues because it will override the ike/esp parameters in my other connections (older mailing list post, something to do with me having %any as right in all my connections if I remember correctly) When it happens again I will look at the logs. Do you want a particular log level or will the Debian default charon syslog do? Regards, Hans-Kristian Bakke On Tue, Jan 10, 2012 at 15:32, Martin Willi <[email protected]> wrote: > Hi, > >> After disabling rekeying for Windows 7 connection I got rid of most of >> the reconnects caused by rekeying the SAs, but I still have one >> annoying connection interruption left. > > When following the rules from [1], rekeying initiated by strongSwan > works fine here. > >> But for some reason IP Security Monitor on Windows 7 reports 10800s as >> main mode SA lifetime. Even if I change ikelifetime on the Strongswan >> server to i.e 8 or 12h it is still 3h. > > I don't know if you can trust the IP Security Monitor, as it is mainly > for IKEv1. Not sure if these 10800s are correct. Further, lifetimes are > never negotiated in IKEv2, you can't change the behavior of Windows by > defining an ikelifetime on strongSwan. It only changes the behavior of > rekeying initiated locally. > >> Now, the problem isn't really the 3h interval, it's that all the >> connections drop for a while until reconnect. > > Would be helpful to know exactly _what_ is happening every three hours. > Does Windows trigger a rekey? Does it drop the CHILD_SA, close the > IKE_SA? A strongSwan log output would be helpful. > >> ike=aes256-sha1-modp1024 >> esp=aes256-sha1 > > I'd try to limit the proposal list to exactly these by appending a '!'. > I'm not aware of any problems with our lengthy default proposal set, but > just in case. > > Regards > Martin > > [1]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavior > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
