Hi List,
I've searched the archives and haven't so far come across a similar case to
mine afaics.
I have StrongSWAN in AWS (Linux strongSwan U5.1.2/K3.13.0-48-generic) and a
Cisco ASA on premise (I'll get the config and exact ASA spec soon but it's
running upwards of v9). Everything is fine until the first rekey time (1h in
my case), then it will recreate the AS'es every ~ 3 minutes with:
---- 8< ----
Sep 3 09:05:13 strongswan-prod charon: 06[IKE] giving up after 5 retransmits
Sep 3 09:05:13 strongswan-prod charon: 06[IKE] restarting CHILD_SA aws-2-onprem
---- 8< ----
The tunnels re-establish immediately with no issues, the problem is just it
keeps doing it every 3 minutes which causes havoc for ssh connections (the
Windows guys just moan a bit :-).
My workaround for now will be to set the lifetime to 24h and do "ipsec restart"
from cron once a day but it's not very elegant. Has anyone seen anything like
this with Cisco ASA?
ipsec.conf:
---- 8< ----
conn aws-2-onprem
keyexchange=ikev2
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024 <-- pfs is off ASA side
left=%defaultroute
leftid=<left ip>
leftsubnet=<local subnets>
right=<right ip>
rightsubnet=<remote subnets>
dpdaction=restart <-- initially thought DPD might be a
problem with ASA
# dpdaction=none <-- tried this, bad idea in my case: no
tunnels after rekey
dpddelay=0 <-- and tried this
auto=start
reauth=no <-- and tried this in the hope it
wouldn't delete the SA's, no luck
keylife=1d <-- last thing is to make rekey time a
whole day and ipsec restart once a day
---- 8< ----
Any ideas?
Many thanks!
--
Willem Roos
wr...@shoprite.co.za<mailto:wr...@shoprite.co.za> (+27 21 980 4941, +27 83 703
9310)
Disclaimer:
http://www.shopriteholdings.co.za/Pages/ShopriteE-mailDisclaimer.aspx
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
