[Swan] SA lifetime too short, less than configured

Ivan Kuznetsov Fri, 14 May 2021 00:46:30 -0700

Hello

We use libreswan 3.32 under Linux and have a IPsec peer recentlyupgraded their Cisco ASA. Tunnel was migrated to IKEv2. All works fineexcept the libreswan side restarts ISAKMP too often, mostly after 1h.ESP is restarted too. Settings for lifetime are 24h for phase 1 and 8hfor phase 2 on both sides. rekeymargin has default value (300s)


Why libreswan drops ISAKMP SA regardless of explicit settings?

Libreswan configuration:

conn bkp
        type=tunnel
        auto=start
        authby=secret
        left=11.22.33.44
        leftsubnet=172.16.80.0/20
        right=55.66.77.88

rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29

        ikev2=yes
        ikelifetime=24h
        initial-contact=yes

        phase2=esp
        salifetime=8h
#        BKP's Cisco ASA has stranges regarding DH groups on phase2
        pfs=no

        rekey=yes
        rekeymargin=5m
        keyingtries=3

        fragmentation=yes
#        BKP's Cisco ASA has nonstadard DPD
#        dpddelay=30
#        dpdtimeout=120
#        dpdaction=restart


Libreswan log is attached

--
Regards, Ivan Kuznetsov
SOLVO ltd

May 13 16:15:12.957820: "bkp/0x2" #92837: deleting other state #92837 (STATE_CHILDSA_DEL) aged 5702.583s and NOT sending notification
May 13 16:15:12.967038: "bkp/0x2" #92836: deleting state (STATE_IKESA_DEL) aged 5702.633s and NOT sending notification
May 13 16:15:12.967090: "bkp/0x2" #92836: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 13 16:15:12.967201: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 13 16:15:12.967238: "bkp/0x2" #92959: initiating IKEv2 IKE SA
May 13 16:15:12.968129: "bkp/0x2" #92959: STATE_PARENT_I1: sent v2I1, expected v2R1
May 13 16:15:13.007403: "bkp/0x2" #92959: sending INITIAL_CONTACT
May 13 16:15:13.007540: "bkp/0x2" #92960: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 13 16:15:13.044523: "bkp/0x2" #92960: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 13 16:15:13.044645: "bkp/0x2" #92960: Authenticated using authby=secret
May 13 16:15:13.053699: "bkp/0x2" #92960: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 13 16:15:13.053719: "bkp/0x2" #92960: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x3ec67a0f <0x3514d4db xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 13 16:46:59.518754: "bkp/0x2" #92960: deleting other state #92960 (STATE_CHILDSA_DEL) aged 1906.511s and NOT sending notification
May 13 16:46:59.526985: "bkp/0x2" #92959: deleting state (STATE_IKESA_DEL) aged 1906.559s and NOT sending notification
May 13 16:46:59.527026: "bkp/0x2" #92959: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 13 16:46:59.527111: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 13 16:46:59.527144: "bkp/0x2" #93010: initiating IKEv2 IKE SA
May 13 16:46:59.528001: "bkp/0x2" #93010: STATE_PARENT_I1: sent v2I1, expected v2R1
May 13 16:46:59.567340: "bkp/0x2" #93010: sending INITIAL_CONTACT
May 13 16:46:59.567472: "bkp/0x2" #93011: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 13 16:46:59.604695: "bkp/0x2" #93011: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 13 16:46:59.604808: "bkp/0x2" #93011: Authenticated using authby=secret
May 13 16:46:59.613477: "bkp/0x2" #93011: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 13 16:46:59.613507: "bkp/0x2" #93011: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xf765c4e7 <0x1fdac55e xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 13 17:28:00.687384: "bkp/0x2" #93011: deleting other state #93011 (STATE_CHILDSA_DEL) aged 2461.120s and NOT sending notification
May 13 17:28:00.695676: "bkp/0x2" #93010: deleting state (STATE_IKESA_DEL) aged 2461.168s and NOT sending notification
May 13 17:28:00.695744: "bkp/0x2" #93010: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 13 17:28:00.695887: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 13 17:28:00.695918: "bkp/0x2" #93056: initiating IKEv2 IKE SA
May 13 17:28:00.696736: "bkp/0x2" #93056: STATE_PARENT_I1: sent v2I1, expected v2R1
May 13 17:28:00.735876: "bkp/0x2" #93056: sending INITIAL_CONTACT
May 13 17:28:00.736020: "bkp/0x2" #93057: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 13 17:28:00.772933: "bkp/0x2" #93057: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 13 17:28:00.773033: "bkp/0x2" #93057: Authenticated using authby=secret
May 13 17:28:00.781301: "bkp/0x2" #93057: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 13 17:28:00.781318: "bkp/0x2" #93057: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xd56c81f7 <0xbe160c96 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 13 21:18:33.201442: "bkp/0x2" #93057: deleting other state #93057 (STATE_CHILDSA_DEL) aged 13832.465s and NOT sending notification
May 13 21:18:33.210119: "bkp/0x2" #93056: deleting state (STATE_IKESA_DEL) aged 13832.514s and NOT sending notification
May 13 21:18:33.210173: "bkp/0x2" #93056: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 13 21:18:33.210299: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 13 21:18:33.210334: "bkp/0x2" #93362: initiating IKEv2 IKE SA
May 13 21:18:33.211225: "bkp/0x2" #93362: STATE_PARENT_I1: sent v2I1, expected v2R1
May 13 21:18:33.250830: "bkp/0x2" #93362: sending INITIAL_CONTACT
May 13 21:18:33.250968: "bkp/0x2" #93363: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 13 21:18:33.288437: "bkp/0x2" #93363: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 13 21:18:33.288593: "bkp/0x2" #93363: Authenticated using authby=secret
May 13 21:18:33.301998: "bkp/0x2" #93363: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 13 21:18:33.302015: "bkp/0x2" #93363: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x556a516a <0x77727391 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 13 21:50:00.091386: "bkp/0x2" #93363: deleting other state #93363 (STATE_CHILDSA_DEL) aged 1886.840s and NOT sending notification
May 13 21:50:00.105145: "bkp/0x2" #93362: deleting state (STATE_IKESA_DEL) aged 1886.894s and NOT sending notification
May 13 21:50:00.105208: "bkp/0x2" #93362: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 13 21:50:00.105327: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 13 21:50:00.105360: "bkp/0x2" #93389: initiating IKEv2 IKE SA
May 13 21:50:00.106236: "bkp/0x2" #93389: STATE_PARENT_I1: sent v2I1, expected v2R1
May 13 21:50:00.145947: "bkp/0x2" #93389: sending INITIAL_CONTACT
May 13 21:50:00.146085: "bkp/0x2" #93390: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 13 21:50:00.183620: "bkp/0x2" #93390: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 13 21:50:00.183722: "bkp/0x2" #93390: Authenticated using authby=secret
May 13 21:50:00.192368: "bkp/0x2" #93390: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 13 21:50:00.192397: "bkp/0x2" #93390: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x392f9f7c <0xc1785058 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 13 22:42:00.186897: "bkp/0x2" #93390: deleting other state #93390 (STATE_CHILDSA_DEL) aged 3120.040s and NOT sending notification
May 13 22:42:00.195842: "bkp/0x2" #93389: deleting state (STATE_IKESA_DEL) aged 3120.090s and NOT sending notification
May 13 22:42:00.195891: "bkp/0x2" #93389: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 13 22:42:00.195991: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 13 22:42:00.196031: "bkp/0x2" #93455: initiating IKEv2 IKE SA
May 13 22:42:00.196915: "bkp/0x2" #93455: STATE_PARENT_I1: sent v2I1, expected v2R1
May 13 22:42:00.236536: "bkp/0x2" #93455: sending INITIAL_CONTACT
May 13 22:42:00.236671: "bkp/0x2" #93456: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 13 22:42:00.274026: "bkp/0x2" #93456: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 13 22:42:00.274126: "bkp/0x2" #93456: Authenticated using authby=secret
May 13 22:42:00.286895: "bkp/0x2" #93456: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 13 22:42:00.286916: "bkp/0x2" #93456: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xeeee1e2c <0x966bb95c xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 13 23:42:00.301017: "bkp/0x2" #93456: deleting other state #93456 (STATE_CHILDSA_DEL) aged 3600.064s and NOT sending notification
May 13 23:42:00.328313: "bkp/0x2" #93455: deleting state (STATE_IKESA_DEL) aged 3600.132s and NOT sending notification
May 13 23:42:00.328417: "bkp/0x2" #93455: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 13 23:42:00.328608: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 13 23:42:00.328686: "bkp/0x2" #93529: initiating IKEv2 IKE SA
May 13 23:42:00.330507: "bkp/0x2" #93529: STATE_PARENT_I1: sent v2I1, expected v2R1
May 13 23:42:00.370910: "bkp/0x2" #93529: sending INITIAL_CONTACT
May 13 23:42:00.371224: "bkp/0x2" #93530: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 13 23:42:00.408462: "bkp/0x2" #93530: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 13 23:42:00.408565: "bkp/0x2" #93530: Authenticated using authby=secret
May 13 23:42:00.417593: "bkp/0x2" #93530: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 13 23:42:00.417614: "bkp/0x2" #93530: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xf53e0147 <0x9b78cceb xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 00:42:00.414648: "bkp/0x2" #93530: deleting other state #93530 (STATE_CHILDSA_DEL) aged 3600.043s and NOT sending notification
May 14 00:42:00.423833: "bkp/0x2" #93529: deleting state (STATE_IKESA_DEL) aged 3600.095s and NOT sending notification
May 14 00:42:00.423877: "bkp/0x2" #93529: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 00:42:00.423966: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 14 00:42:00.423998: "bkp/0x2" #93620: initiating IKEv2 IKE SA
May 14 00:42:00.424820: "bkp/0x2" #93620: STATE_PARENT_I1: sent v2I1, expected v2R1
May 14 00:42:00.464340: "bkp/0x2" #93620: sending INITIAL_CONTACT
May 14 00:42:00.464468: "bkp/0x2" #93621: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 14 00:42:00.501680: "bkp/0x2" #93621: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 14 00:42:00.501787: "bkp/0x2" #93621: Authenticated using authby=secret
May 14 00:42:00.514696: "bkp/0x2" #93621: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 00:42:00.514716: "bkp/0x2" #93621: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x39c3bfb6 <0x2ac019f8 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 01:42:00.526556: "bkp/0x2" #93621: deleting other state #93621 (STATE_CHILDSA_DEL) aged 3600.062s and NOT sending notification
May 14 01:42:00.535186: "bkp/0x2" #93620: deleting state (STATE_IKESA_DEL) aged 3600.111s and NOT sending notification
May 14 01:42:00.535259: "bkp/0x2" #93620: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 01:42:00.535362: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 14 01:42:00.535392: "bkp/0x2" #93689: initiating IKEv2 IKE SA
May 14 01:42:00.536266: "bkp/0x2" #93689: STATE_PARENT_I1: sent v2I1, expected v2R1
May 14 01:42:00.575671: "bkp/0x2" #93689: sending INITIAL_CONTACT
May 14 01:42:00.575803: "bkp/0x2" #93690: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 14 01:42:00.613132: "bkp/0x2" #93690: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 14 01:42:00.613252: "bkp/0x2" #93690: Authenticated using authby=secret
May 14 01:42:00.625944: "bkp/0x2" #93690: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 01:42:00.625971: "bkp/0x2" #93690: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x39488a3f <0x6ee7ac45 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 02:42:00.649235: "bkp/0x2" #93690: deleting other state #93690 (STATE_CHILDSA_DEL) aged 3600.073s and NOT sending notification
May 14 02:42:00.657806: "bkp/0x2" #93689: deleting state (STATE_IKESA_DEL) aged 3600.122s and NOT sending notification
May 14 02:42:00.657875: "bkp/0x2" #93689: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 02:42:00.658011: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 14 02:42:00.658043: "bkp/0x2" #93774: initiating IKEv2 IKE SA
May 14 02:42:00.658898: "bkp/0x2" #93774: STATE_PARENT_I1: sent v2I1, expected v2R1
May 14 02:42:00.705287: "bkp/0x2" #93774: sending INITIAL_CONTACT
May 14 02:42:00.705419: "bkp/0x2" #93775: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 14 02:42:00.742744: "bkp/0x2" #93775: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 14 02:42:00.742847: "bkp/0x2" #93775: Authenticated using authby=secret
May 14 02:42:00.751791: "bkp/0x2" #93775: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 02:42:00.751812: "bkp/0x2" #93775: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xfa3234ec <0x6806b379 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 03:42:00.765293: "bkp/0x2" #93775: deleting other state #93775 (STATE_CHILDSA_DEL) aged 3600.060s and NOT sending notification
May 14 03:42:00.792210: "bkp/0x2" #93774: deleting state (STATE_IKESA_DEL) aged 3600.134s and NOT sending notification
May 14 03:42:00.792299: "bkp/0x2" #93774: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 03:42:00.792479: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 14 03:42:00.792544: "bkp/0x2" #93865: initiating IKEv2 IKE SA
May 14 03:42:00.794137: "bkp/0x2" #93865: STATE_PARENT_I1: sent v2I1, expected v2R1
May 14 03:42:00.834067: "bkp/0x2" #93865: sending INITIAL_CONTACT
May 14 03:42:00.834253: "bkp/0x2" #93866: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 14 03:42:00.871392: "bkp/0x2" #93866: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 14 03:42:00.871491: "bkp/0x2" #93866: Authenticated using authby=secret
May 14 03:42:00.880071: "bkp/0x2" #93866: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 03:42:00.880100: "bkp/0x2" #93866: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x0004a149 <0x03f95a25 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 04:42:00.875539: "bkp/0x2" #93866: deleting other state #93866 (STATE_CHILDSA_DEL) aged 3600.041s and NOT sending notification
May 14 04:42:00.890040: "bkp/0x2" #93865: deleting state (STATE_IKESA_DEL) aged 3600.097s and NOT sending notification
May 14 04:42:00.890113: "bkp/0x2" #93865: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 04:42:00.890260: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 14 04:42:00.890331: "bkp/0x2" #93941: initiating IKEv2 IKE SA
May 14 04:42:00.891212: "bkp/0x2" #93941: STATE_PARENT_I1: sent v2I1, expected v2R1
May 14 04:42:00.930615: "bkp/0x2" #93941: sending INITIAL_CONTACT
May 14 04:42:00.930744: "bkp/0x2" #93942: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 14 04:42:00.968441: "bkp/0x2" #93942: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 14 04:42:00.968542: "bkp/0x2" #93942: Authenticated using authby=secret
May 14 04:42:00.977005: "bkp/0x2" #93942: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 04:42:00.977023: "bkp/0x2" #93942: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xf2c89fb2 <0x86a86bda xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 05:42:00.987724: "bkp/0x2" #93942: deleting other state #93942 (STATE_CHILDSA_DEL) aged 3600.057s and NOT sending notification
May 14 05:42:01.007993: "bkp/0x2" #93941: deleting state (STATE_IKESA_DEL) aged 3600.117s and NOT sending notification
May 14 05:42:01.008090: "bkp/0x2" #93941: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 05:42:01.008311: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 14 05:42:01.008353: "bkp/0x2" #94008: initiating IKEv2 IKE SA
May 14 05:42:01.009397: "bkp/0x2" #94008: STATE_PARENT_I1: sent v2I1, expected v2R1
May 14 05:42:01.049217: "bkp/0x2" #94008: sending INITIAL_CONTACT
May 14 05:42:01.049368: "bkp/0x2" #94009: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 14 05:42:01.086682: "bkp/0x2" #94009: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 14 05:42:01.086788: "bkp/0x2" #94009: Authenticated using authby=secret
May 14 05:42:01.095391: "bkp/0x2" #94009: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 05:42:01.095419: "bkp/0x2" #94009: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x6d2f19a7 <0xe39815b9 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
May 14 06:42:01.118876: "bkp/0x2" #94009: deleting other state #94009 (STATE_CHILDSA_DEL) aged 3600.069s and NOT sending notification
May 14 06:42:01.144670: "bkp/0x2" #94008: deleting state (STATE_IKESA_DEL) aged 3600.136s and NOT sending notification
May 14 06:42:01.144742: "bkp/0x2" #94008: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
May 14 06:42:01.144885: "bkp/0x2": initiating connection which received a Delete/Notify but must remain up per local policy
May 14 06:42:01.144939: "bkp/0x2" #94081: initiating IKEv2 IKE SA
May 14 06:42:01.146288: "bkp/0x2" #94081: STATE_PARENT_I1: sent v2I1, expected v2R1
May 14 06:42:01.186392: "bkp/0x2" #94081: sending INITIAL_CONTACT
May 14 06:42:01.186557: "bkp/0x2" #94082: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
May 14 06:42:01.223911: "bkp/0x2" #94082: IKEv2 mode peer ID is ID_IPV4_ADDR: '55.66.77.88'
May 14 06:42:01.224027: "bkp/0x2" #94082: Authenticated using authby=secret
May 14 06:42:01.234303: "bkp/0x2" #94082: negotiated connection [172.16.80.0-172.16.95.255:0-65535 0] -> [10.1.102.0-10.1.102.255:0-65535 0]
May 14 06:42:01.234323: "bkp/0x2" #94082: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x1bba1bb6 <0xfd4792da xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

[Swan] SA lifetime too short, less than configured

Reply via email to