Hi, We are using Strongswan 5.5.1 on Debian 9 with IKEv2. The other sides are Cisco ISR 2900 routers. The connection works fine, but sometimes we have a disconnect and the tunnels on the Cisco side marked as down. After /etc/init.d/ipsec restart everything works again.
In the early days when I started using IPsec this always meant to be a difference in the lifetime configured for IKE SA or IPsec SA. I am new to IKEv2 and started investigating the problem, the RFC7296 clearly states: "A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes were negotiated. In IKEv2, each end of the SA is responsible for enforcing its own lifetime policy on the SA and rekeying the SA when necessary. If the two ends have different lifetime policies, the end with the shorter lifetime will end up always being the one to request the rekeying." What is best practice to define a lifetime? Should it be defined on the Cisco side or on the Strongswan side? Or on both sides different to avoid simultaneous rekeying? Strongswan has some options for jittering the lifetime, but I think Cisco side does not have it. What if I want IKE SA rekeying after 24 hours and IPsec SA rekeying after 1 hours? We use ipsec.conf, our template looks like this for now: config setup # Enable debug logs: #charondebug="ike 2, cfg 2" charonstart=yes conn %default ikelifetime=1440m keylife=60m ike=aes256-sha512-modp4096 esp=aes256-sha512 rekeymargin=3m keyingtries=1 mobike=no keyexchange=ikev2 authby=rsasig conn host-vpn1 leftcert=<%= @fqdn %>.pem left=%any right=<%= @router1 %> rightid=%any type=transport auto=add conn host-vpn2 leftcert=<%= @fqdn %>.pem left=%any right=<%= @router2 %> rightid=%any type=transport auto=add Should I better add "reauth = no" to avoid short connection outage and just explicitely enable "rekey = yes" and "rekeyfuzz = 100%" to avoid rekeying of both tunnels in the same timeframe? best regards Waldemar