Hello,
I'm running a FreeBSD kernel and strongswan 5.2.0 using the pfkeyv2 interface.
I have an ennoying behavior on this connection:
----
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=3m
keylife=30s
rekeymargin=1s
keyingtries=%forever
keyexchange=ikev2
mobike=no
conn net-net
left=172.18.0.54
leftcert=sn_2.cert.pem
[email protected]
leftsubnet=172.54.0.0/16
right=172.18.0.53
[email protected]
rightsubnet=172.53.0.0/16
auto=start
----
Notice the very low keylife.
The connection is successfully established and the SAD and SPD are properly
populated in the FreeBSD kernel.
If the SA is used, I get a SADB_EXPIRE message from the kernel and the CHILD SA
is rekeyed.
If the SA is not used:
- the SA pair is flushed once the 'hard' kernel timeout is reached.
- 'ipsec statusall' shows the CHILD SA is in state 'rekeying active' but
nothing happens
If I send some trafic in order to trigger the SP, I get a SADB_ACQUIRE message
from the kernel but strongswan complains there is no trap set.
I have to wait for the IKE SA to be rekeyed in order for the CHILD_SA to be
established again.
This sounds like a bug, I mean 'start' would imply 'route'. But maybe I missed
something?
What do you think?
Regards,
Emeric Poupon
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
