[Openswan Users] phase2 every 2 min. WHY?? - tunnels goes to %trap

Paul Wouters paul at xelerance.com
Fri Jun 12 21:46:29 EDT 2009

On Fri, 12 Jun 2009, Agent Smith wrote:

> One of our remote site (openswan on corporate end, juniper firewalls on remote location with as the encryption domain so ALL traffic takes the tunnel) complains that their connection goes down 10 times a day so I decided to take a close look and found that the phase2 goes on every 2 min. with them is that normal?

A phase2 every two minutes is very wrong. Something is broken.

> Any work around? I tried ikelifetime=1h and keylife=1h.

I would leave the keylife to its default 8h.

> phase 2 as seen for /var/log/secure logs happens every 2 min. and phase 1 every one hr (I see 'ISAKMP SA established' in /var/log/secure every hr.) and it seems that no matter what I do, I can't control the phase 2 renegotiation. The other end is Juniper SSG 320M firewall with no way to configure timeouts but I was able to find out what the timeouts are.

Your logs did not show which end was initiating the rekeying. Whichever
end it is, that end needs fixing.


More information about the Users mailing list