[Openswan Users] IPSec/L2TP with Mac OS X drops connection after 1 hour
Paul Wouters
paul at xelerance.com
Mon Jul 20 00:34:18 EDT 2009
On Sat, 18 Jul 2009, Kevin J. Arunski wrote:
>>> conn L2TP-PSK-NAT
>>> authby=secret
>>> pfs=no
>>> auto=add
>>> keyingtries=3
>>> rekey=no
>>> ikelifetime=8h
>>> keylife=1h
>>> type=transport
>>> left=---.---.---.---
>>> leftprotoport=17/1701
>>> right=%any
>>> rightprotoport=17/%any
>>> rightsubnet=vhost:%no,%priv
>>>
>>>
>> You have rekey=no and keylife=1h, this means there will be no
>> rekeying after the first key expires after 1 hour and the connection
>> dies. Fix this by setting the clients to rekey within one hour.
>>
>> Paul, please comment if I'm wrong.
>
> From what I understand, rekey=no is required in this situation. I
> thought the log messages I posted indicate the client attempting to
> rekey at about ~50 minutes.
That's right.
Paul
More information about the Users
mailing list