On Fri, 7 Jan 2022, Mirsad Goran Todorovac wrote:
000 #5: "MYCONN-ikev2-cp"[3] 94.253.211.1:4500 STATE_V2_ESTABLISHED_IKE_SA
(established IKE SA); EXPIRE in 25923s; newest ISAKMP; idle;
000 #9: "MYCONN-ikev2-cp"[3] 94.253.211.1:4500 STATE_V2_ESTABLISHED_CHILD_SA
(established Child SA); EXPIRE in 28737s; newest IPSEC; eroute owner;
isakmp#5; idle;
000 #9: "MYCONN-ikev2-cp"[3] 94.253.211.1 [email protected]
[email protected] [email protected] [email protected] Traffic:
ESPin=396KB ESPout=23MB ESPmax=0B
What is the problem?
The Child SA is renegotiated every about 5 minutes despite saying EXPIRE in
28800 s.
Is it expiring, or is the client rekeying it ? The logs should show you
which end is triggering this. If it is libreswan, there should be a
reason in the logs. If it is microsoft, then we can't help it. Microsoft
is known to aggressively clean up "idle" connections.
If you run "ipsec status" when the connection is up, it will show you
the timers for rekey/expire of the states (ipsec status |grep STATE_)
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
