Thank you so much for responding! Found it out! I've another doubt!<div>I'm using bridge(brctl) and an l2tp tunnel on top of it! The bridge has two interfaces one being the l2tp tunnel interface and the other being the ethernet interface which is connected to PC. Hence when the IPSec restarts after the keylife, the l2tp tunnel also has to be deleted and then restarted again so as to have the end PC's up. The scenario is in the attached file. Hence when the IPSec is about to end i check the expiry time of the old IPSec using time left in STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in ipsec auto --status. So when the expiry time reaches 0 i reestablish the l2tp tunnel, however at times the IPSec tunnel says</div>
<div>"ignoring Delete SA payload: PROTO_IPSEC_ESP SA() not found(may be expired) instead of "received Delete SA() payload"</div><div>How do I identify when to exactly restart the l2tp tunnel so that the link will always be up! Hope i was clear in explaining my situation. Plz help!</div>
<div><br><div class="gmail_quote">On Wed, Jul 6, 2011 at 10:35 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On Wed, 6 Jul 2011, Vasanth Ragavendran wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am using openswan 2.6.29 with the kernel being 2.6.35.9. I've set the keylife and ikelifetime to default values and rekey to yes. So when the IPSec re-establishes the tunnel<br>
after the keylife period expires is there any way to check if the IPSec tunnel is up after the keylife expiry. What i mean to say is there any way to indicate a difference<br>
between the tunnel which was existing during the previous keylife period and the current keylife period! Is there any variable which will indicate this difference or does it<br>
show up in "ipsec auto --status" command. Hope i made it clear. Awaiting response. Plz help!<br>
</blockquote>
<br></div></div>
Yes, the instance number (the number with the #) will have changed. The SPI will also have changed if<br>
the phase2 rekeyed, which can be seen in "ipsec eroute" (klips) or "ip xfrm state" (netkey)<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br></div>