Hi Claude, > Before diving deeper into logs etc. Do these connection settings look > good to you ? Thinking of all sorts of timers.
There is lots of questionable stuff in that config. >>> ikelifetime=60m That's quite low, in particular since you didn't change margintime and rekeyfuzz (see [1] for what that means exactly). >>> dpdaction=restart That doesn't make much sense on a responder as it's unlikely it can reach the client to reestablish the connection if it failed to retransmit a message several times. >>> dpddelay=60s That's relatively low for mobile clients that might not be reachable for a while. If you do that, consider changing the retransmission settings so clients can be offline for a while [2]. >>> dpdtimeout=300s Has no effect on IKEv2 SAs. >>> keyingtries=5 Same as dpdaction, makes not much sense on a responder for mobile clients. >>> inactivity=4h This only makes sense if trap policies are used, otherwise no CHILD_SA will exist after that (unless the client will reestablish the complete connection immediately if the server terminates the CHILD_SA unexpectedly, but what would the benefit be of that?). >>> lifetime=4h Why did you set that longer than the IKE_SA lifetime? Also, refer to [1] for details. >>> reauth=yes Consider reading up on reauthentication (especially in regards to IKEv2 responders) on [1]. >>> mobike=no Why would you disable MOBIKE on a connection for mobile roadwarriors? It's exactly the use case this extension was designed for. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey [2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
