Hi List, I've searched the archives and haven't so far come across a similar case to mine afaics.
I have StrongSWAN in AWS (Linux strongSwan U5.1.2/K3.13.0-48-generic) and a Cisco ASA on premise (I'll get the config and exact ASA spec soon but it's running upwards of v9). Everything is fine until the first rekey time (1h in my case), then it will recreate the AS'es every ~ 3 minutes with: ---- 8< ---- Sep 3 09:05:13 strongswan-prod charon: 06[IKE] giving up after 5 retransmits Sep 3 09:05:13 strongswan-prod charon: 06[IKE] restarting CHILD_SA aws-2-onprem ---- 8< ---- The tunnels re-establish immediately with no issues, the problem is just it keeps doing it every 3 minutes which causes havoc for ssh connections (the Windows guys just moan a bit :-). My workaround for now will be to set the lifetime to 24h and do "ipsec restart" from cron once a day but it's not very elegant. Has anyone seen anything like this with Cisco ASA? ipsec.conf: ---- 8< ---- conn aws-2-onprem keyexchange=ikev2 ike=aes256-sha1-modp1024 esp=aes256-sha1-modp1024 <-- pfs is off ASA side left=%defaultroute leftid=<left ip> leftsubnet=<local subnets> right=<right ip> rightsubnet=<remote subnets> dpdaction=restart <-- initially thought DPD might be a problem with ASA # dpdaction=none <-- tried this, bad idea in my case: no tunnels after rekey dpddelay=0 <-- and tried this auto=start reauth=no <-- and tried this in the hope it wouldn't delete the SA's, no luck keylife=1d <-- last thing is to make rekey time a whole day and ipsec restart once a day ---- 8< ---- Any ideas? Many thanks! -- Willem Roos wr...@shoprite.co.za<mailto:wr...@shoprite.co.za> (+27 21 980 4941, +27 83 703 9310) Disclaimer: http://www.shopriteholdings.co.za/Pages/ShopriteE-mailDisclaimer.aspx
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users