If you have those empty lines in your config, perhaps that is causing the lines to be ignored ?
Otherwise, show us the logs from the rekey event? It should tell us why. Sent from my iPhone > On May 14, 2021, at 03:46, Ivan Kuznetsov <[email protected]> wrote: > > Hello > > We use libreswan 3.32 under Linux and have a IPsec peer recently upgraded > their Cisco ASA. Tunnel was migrated to IKEv2. All works fine except the > libreswan side restarts ISAKMP too often, mostly after 1h. ESP is restarted > too. Settings for lifetime are 24h for phase 1 and 8h for phase 2 on both > sides. rekeymargin has default value (300s) > > Why libreswan drops ISAKMP SA regardless of explicit settings? > > Libreswan configuration: > > conn bkp > type=tunnel > auto=start > authby=secret > left=11.22.33.44 > leftsubnet=172.16.80.0/20 > right=55.66.77.88 > rightsubnets=10.1.208.0/28,10.1.102.0/24,10.1.100.22/32,10.1.104.0/29 > > ikev2=yes > ikelifetime=24h > initial-contact=yes > > phase2=esp > salifetime=8h > # BKP's Cisco ASA has stranges regarding DH groups on phase2 > pfs=no > > rekey=yes > rekeymargin=5m > keyingtries=3 > > fragmentation=yes > # BKP's Cisco ASA has nonstadard DPD > # dpddelay=30 > # dpdtimeout=120 > # dpdaction=restart > > > Libreswan log is attached > > -- > Regards, Ivan Kuznetsov > SOLVO ltd > <bkp.log> > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
