[Swan] Libreswan don't want to up a child SA

KMP; idle; 000 #33751: "customer/0x1":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 3414s; newest IPSEC; eroute owner; isakmp#33417; idle; 000 #33751: "customer/0x1" esp.9d603d4@E.F.G.H esp.232cb42f@A.B.C.D tun.0@E.F.G.H tun.0@A.B.C.D ref=0 refhim=0 Traffic: ESPin=0

Re: [Swan] SA lifetime too short, less than configured

Gzipped log for time 00:42:14 is attached As I understand, other side (Cisco ASA) sends ISAKMP_v2_INFORMATIONAL message contains ISAKMP_NEXT_v2D payload asks to delete the #103354 SA 20.05.2021 19:33, Ivan Kuznetsov пишет: Hello Paul 17.05.2021 18:01, Paul Wouters пишет: On Mon, 17 May

Re: [Swan] SA lifetime too short, less than configured

Hello Paul 17.05.2021 18:01, Paul Wouters пишет: On Mon, 17 May 2021, Ivan Kuznetsov wrote: Yes, all the bkp* has the same life times: [root@vpn3 ipsec.d]# ipsec auto --status | grep bkp | grep ike_life 000 "bkp/0x1":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 32; re

Re: [Swan] SA lifetime too short, less than configured

14.05.2021 16:08, Paul Wouters пишет: On Fri, 14 May 2021, Ivan Kuznetsov wrote: No, config lines are not ignored. Here is status output, it shows 'ike_life: 86400s' and 'ipsec_life: 28800s' implemented [root@vpn3 ipsec.d]# ipsec auto --status | grep bkp/0x2 000 "bkp/0x2": 00

Re: [Swan] SA lifetime too short, less than configured

ion is supposed to remain up; schedule EVENT_REVIVE_CONNS May 14 14:00:01.953334: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy May 14 14:00:01.953376: "bkp/0x2" #94672: initiating IKEv2 IKE SA May 14 14:00:01.954247: &q

[Swan] SA lifetime too short, less than configured

rekeymargin=5m keyingtries=3 fragmentation=yes #BKP's Cisco ASA has nonstadard DPD #dpddelay=30 #dpdtimeout=120 #dpdaction=restart Libreswan log is attached -- Regards, Ivan Kuznetsov SOLVO ltd May 13 16:15:12.957820: "bkp/0x2" #92837: dele

Re: [Swan] rightsubnets

Hmm, I remember I had similar problem with earler version of libreswan. But my current configuration mostly has ikev1 peers. Few ikev2 peers config has just one left/rightsubnet, so I'm not sure 27.09.2018 17:59, Satavee Junwana пишет:  I also have the same problem for ikev2., Libreswan

Re: [Swan] rightsubnets

Hi, Eugeniy rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32 works at my site. libreswan-3.21-1.el6_9 27.09.2018 17:49, Eugeniy Khvastunov пишет: In all cases work only last subnet from list. P.S.: libreswan-3.23-5.el7_5.x86_64 On Thu, Sep 27, 2018 at 5:46 PM Nick Howitt

Re: [Swan] Overlapping traffic selectors and IKEv1

24.04.2018 16:08, Ivan Kuznetsov пишет: Customer side equipment is some Cisco router, I don't know details. Our side is libreswan 3.21 Libreswan 3.21 under Linux (kernel 4.1.12) The question seems to be about Linux netkey stack, not libreswan. But if someone shows me the good URL to read I

Re: [Swan] Forward of moderated message

ill a problem? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan -- Ivan Kuznetsov SOLVO ltd ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.

[Swan] Does libreswan supports DH negotiation in ESP?

Hello I trying to setup a site-to-site tunnel using ESP, IKEv2 and certificates. My side is Oracle Linux 6 (a RHEL6 clone from Oracle), libreswan 3.20, NETKEY stack as initiator. Other side is strongswan, don't know exact version (not under my control), as responder. My configuration: conn