[Openswan Users] phase2 every 2 min. WHY?? - tunnels goes to %trap

[Agent Smith]

I found that the damn Juniper box has no way to configure phase 1 timeout or phase 2 timeout and evidently phase 2 timeout is 2 minutes, (can someone confirm this please??).

I took the rekey option off of juniper and now have only the openswan end doing the rekeying and the tunnel has been up for about 24 hours without a drop like its suppoosed to be.

so even when openswan renegotiates phase1 at the end of 8hr, it all happens over existing secure connection so the tunnel is never suppose to drop right? (or goes into %trap or whatever..)

 

--- On Fri, 6/12/09, Paul Wouters <paul at xelerance.com> wrote:

> From: Paul Wouters <paul at xelerance.com>
> Subject: Re: [Openswan Users] phase2 every 2 min. WHY?? - tunnels goes to %trap
> To: "Agent Smith" <news8080 at yahoo.com>
> Cc: users at openswan.org
> Date: Friday, June 12, 2009, 9:46 PM
> On Fri, 12 Jun 2009, Agent Smith
> wrote:
> 
> > One of our remote site (openswan on corporate end,
> juniper firewalls on remote location with 0.0.0.0/0 as the
> encryption domain so ALL traffic takes the tunnel) complains
> that their connection goes down 10 times a day so I decided
> to take a close look and found that the phase2 goes on every
> 2 min. with them is that normal?
> 
> A phase2 every two minutes is very wrong. Something is
> broken.
> 
> > Any work around? I tried ikelifetime=1h and
> keylife=1h.
> 
> I would leave the keylife to its default 8h.
> 
> > phase 2 as seen for /var/log/secure logs happens every
> 2 min. and phase 1 every one hr (I see 'ISAKMP SA
> established' in /var/log/secure every hr.) and it seems that
> no matter what I do, I can't control the phase 2
> renegotiation. The other end is Juniper SSG 320M firewall
> with no way to configure timeouts but I was able to find out
> what the timeouts are.
> 
> Your logs did not show which end was initiating the
> rekeying. Whichever
> end it is, that end needs fixing.
> 
> Paul
>