[Openswan Users] IPSec/L2TP with Mac OS X drops connection after 1 hour

Kevin J. Arunski kevin.arunski at netwitness.com
Sat Jul 18 16:11:14 EDT 2009

On Jul 18, 2009, at 4:03 PM, Marcus Carlson wrote:

> Kevin J. Arunski skrev:
>> I'm using Openswan in a roadwarrior setup for IPsec/L2TP clients,  
>> and  it appears the IPsec SA is dropped at exactly the one hour  
>> mark when  Mac OS X or Windows Vista clients connect.
>> I'm using openswan 2.4.15 because the 2.6.X versions don't seem to   
>> work at all. I'm using NETKEY on kernel 2.6.18-128.1.10.el5.
>> Here is the configuration:
>> conn L2TP-PSK-NAT
>> 	authby=secret
>> 	pfs=no
>> 	auto=add
>> 	keyingtries=3
>> 	rekey=no
>> 	ikelifetime=8h
>> 	keylife=1h
>> 	type=transport
>> 	left=---.---.---.---
>> 	leftprotoport=17/1701
>> 	right=%any
>> 	rightprotoport=17/%any
>> 	rightsubnet=vhost:%no,%priv
> You have rekey=no and keylife=1h, this means there will be no  
> rekeying after the first key expires after 1 hour and the connection  
> dies. Fix this by setting the clients to rekey within one hour.
> Paul, please comment if I'm wrong.

 From what I understand, rekey=no is required in this situation.  I  
thought the log messages I posted indicate the client attempting to  
rekey at about ~50 minutes.


More information about the Users mailing list