[Openswan Users] Openswan to cisco / SA Expired

Paul Wouters pwouters at redhat.com
Wed Mar 14 20:40:43 EDT 2012

On Wed, 14 Mar 2012, Vincent Tamet wrote:

> I observe some SA Expired and then the tunnel go down, a ping from the cisco immediately up the vpn.

> -------------------------------------------------------------------------------------------
> Crypto Map "cm-cryptomap" 1 ipsec-isakmp
>        Peer = x.x.x.74
>        Extended IP access list 101
>            access-list 101 permit ip
>            access-list 101 permit ip
>            access-list 101 deny ip any any
>        Security association lifetime: 4608000 kilobytes/120 seconds

An SA lifetime of 2 minutes?? You really don't want. Se it back to the
default (prob 1h or 8h)

> Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: received Delete SA payload: deleting ISAKMP State #118

This is the remote deleting the SA. Not much we can do here.

> Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: STATE_QUICK_R2: IPsec SA established {ESP=>0xa8593c8d <0xcf5f3206 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
> Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: ISAKMP SA expired (--dontrekey)

This one says your configuration has rekey=no. Are you behind NAT with
the Cisco? Or is the Cisco on a dynamic IP? If not, you should set this
to rekey=yes.  By the looks of the IPsec SA established line, you are
not behind NAT, so I assume the Cisco is on dynamic IP, in which case
the Cisco should rekey for you.

> Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: received Delete SA payload: deleting ISAKMP State #122
> Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received and ignored informational message

These could be because of you 2 minute window for the tunnel. It keeps
deleting and setting up new tunnels. Set it back to an hour and see if
this fixes your issues.

> Configuration:
> --------------
> conn provailimit
>       type=tunnel
>       esp=3des-md5-96
>       keyexchange=ike
>       authby=secret
>       pfs=yes
>       auth=esp
>       rekey=no

Yup, you have rekey=no. Change that.

>       #rekeymargin=0s
>       #rekeyfuzz=0%
>       ikelifetime=60s
>       keylife=120s

nono. this is bad. Do not set such short ikelifetime/salifetimes.
Since you cannot rekey, it is best to set LONG lifetimes to give
the remove a change to rekey to you. I recommend:


>       dpddelay=10
>       dpdtimeout=30
>       dpdaction=hold
>       #LOCAL
>       left=x.x.x.74
>       leftsubnet=
>       leftnexthop=x.x.x.73
>       #REMOT
>       right=%any
>       rightsubnet=
>       auto=start

> crypto ipsec security-association lifetime seconds 120

Make this longer, like 1h


More information about the Users mailing list