[Openswan Users] phase2 every 2 min. WHY?? - tunnels goes to %trap
Paul Wouters
paul at xelerance.com
Sun Jun 14 13:34:00 EDT 2009
On Sat, 13 Jun 2009, Agent Smith wrote:
> I found that the damn Juniper box has no way to configure phase 1 timeout or phase 2 timeout and evidently phase 2 timeout is 2 minutes, (can someone confirm this please??).
Talk to Juniper Support. That is not be right.
> I took the rekey option off of juniper and now have only the openswan end doing the rekeying and the tunnel has been up for about 24 hours without a drop like its suppoosed to be.
Good. So it was the juniper initiating the rekeys, not openswan.
> so even when openswan renegotiates phase1 at the end of 8hr, it all happens over existing secure connection so the tunnel is never suppose to drop right? (or goes into %trap or whatever..)
Renegotiating phase 1 (eg quick mode) happens over the existing phase 1.
this is independant of the packet stream, which happens over phase 2. When
a new phase2 is negotiated, openswan allows traffic on the old phase2 until
it received the first packet on the new phase2, so no packet loss should
ever occur during either phase1 or phase2 renegotiation.
Paul
More information about the Users
mailing list