[Openswan Users] One Hour Disconnect?

Peter McGill petermcgill at goco.net
Tue Dec 20 14:31:12 CET 2005 

I fixed the problem.

As I stated previously I had already tried auto=start,
and that did not work, tried again anyway, but didn't
help.

I did some more testing focusing on ikelifetime=, since
it was set at 1.0h and that's the time the connection was
lost. At ikelifetime=2.0h, the connection disconnected
at 2 hours, instead of one. The first time I tested this,
I must have forgotten to --replace the conn, but this
time I reset pluto to be sure. I then remembered reading
someone needed to swap the values for ikelifetime= and
keylife= for their conn to work. I didn't want to wait
8 hours to test the problem though, so I just set the following:
ikelifetime=1.0h
keylife=30m
Now the problem is gone, not exactly sure why though.
All my other options, I have reset to previously stated
values. (ie: auto=route) Been running without problem
for several days now.
Perhaps Nortel throws away the entire tunnel when the
ike/auth key expires, and expects whole conn to renew?
Or maybe it simply expects the ike/auth key to last longer
then the data/encryption key?


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
Tel: 519-455-9260
----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Peter McGill" <petermcgill at goco.net>
Cc: <users at openswan.org>
Sent: Thursday, December 15, 2005 4:08 PM
Subject: Re: [Openswan Users] One Hour Disconnect?


> On Thu, 15 Dec 2005, Peter McGill wrote:
> 
>> The connection is established, and works for about one
>> hour. The logs seem to indicate that the ISAKMP SA
>> is renegotiated at about 45 minutes in. I have tested
>> the connection after this and it is still working, but at
>> about one hour we receive a Delete SA from the
>> Nortel box and the connection goes down without
>> reconnecting. At this point I have to manually force
>> reconnection via: ipsec auto --up or --route.
> 
>> conn sunoco-172-16-19-net-to-london-office-net
>> left=66.11.74.93
>> leftnexthop=%defaultroute
>> leftsubnet=172.21.0.0/16
>> alsoflip=sunoco-toronto
>> rightsubnet=172.16.0.0/14
>> auto=route
> 
> use auto=start, not auto=reoute
> 
> Paul

More information about the Users mailing list