Hi All, Strongswan version: *4.53. *
Setup: ====== Strongswan <--------------------------> CISCO SGW (CISCO SAMI) Traffic loss observed *2-3* min when we using the IPSec lifetime 300S for IKEv1 mode on the above setup. *Child SA Life time = 300S* *rekeymargin = 180S* *rekeyfuzz = 50% * Here, Child SA will be created once rekey time is expired in Strongswan node and new child also updated to strongswan. Now Strongswan will have two Child SA. One will be the state of EVENT_SA_EXPIRE & EVENT_SA_REPLACE. But CISCO SGW is only updating the INBOUD SA immediately and OUT will be updated later. There is no issue till strongswan is keep both OLD and New SA. Traffic will flow as expected. But, some rekeying period Strongswan node is only having EVENT_SA_REPLACE and SGW still using the old OUTBOUD SA and downlink traffic is dropped in strongswan. Where could be problem ? Strongswan Node or CISCO SGW? Is the following rekeying parameters OK for 300S life time? *rekeymargin = 180S* *rekeyfuzz = 50% * * * *Why Strongswan node is not syncing for lower life time values with CISCO? * * * -- By Jegathesh,
_______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
