[Openswan Users] Openswan to cisco / SA Expired

Paul Wouters pwouters at redhat.com
Thu Mar 15 20:11:00 EDT 2012 

On Thu, 15 Mar 2012, Vincent Tamet wrote:

>>>        Security association lifetime: 4608000 kilobytes/120 seconds
>> An SA lifetime of 2 minutes?? You really don't want. Se it back to the
>> default (prob 1h or 8h)
>
> I change all the timer to very low ones, only in the goal to find the working values.

But as I explained, that creates more problems then it solved, as your
problem was SA's expiring before you got new SA's established.

>
> Because the cisco have a dynamic IP.
>
>>> Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: received Delete SA payload: deleting ISAKMP State #122
>>> Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received and ignored informational message
>> These could be because of you 2 minute window for the tunnel. It keeps
>> deleting and setting up new tunnels. Set it back to an hour and see if
>> this fixes your issues.
>
> Can't really understand this ! :(    I was using this to set up like what (https://lists.openswan.org/pipermail/users/2009-January/015995.html)

(currently there is an issue at the colocation facility so i cannot look
at that posting. But normal values are between 1h and 8h.

>>>       rekey=no
>> Yup, you have rekey=no. Change that.
>
> Even if the righ is %any ? (http://lists.virus.org/users-openswan-0511/msg00127.html)

No, sorry. you must keep rekey=yes. I wrote that before I saw your cisco
was on dynamic ip.

>> 	ikelifetime=2h
>> 	keylife=8h
>
> Thank you very much I will try right now.

Okay.

>>>       dpddelay=10
>>>       dpdtimeout=30
>>>       dpdaction=hold
>
> I used this to select the dpd (http://lists.virus.org/users-openswan-0511/msg00127.html).
> Do you have some recommandation for the dpd for xdsl line ?

First of all, if your remote endpoint is dynamic, you must use
dpdaction=clear. Because the dynamic IP can be used by others and your
client might appear at a different IP.

For DSL lines, DPD is a double edged sword. If something fills
your DSL line, you will experience packet loss. If the congestion is not
the IPsec tunnel, but other traffic, then DPD packets will be sent. If
the line is congested, they will be dropped, and after a few of those it
will actively restart your tunnel, that is it will kill a perfectly fine
tunnel.

>>>       #LOCAL
>>>       left=x.x.x.74
>>>       leftsubnet=192.1.1.0/23
>>>       leftnexthop=x.x.x.73
>>>       #REMOT
>>>       right=%any
>>>       rightsubnet=192.168.2.0/24
>>>       auto=start
>>> crypto ipsec security-association lifetime seconds 120
>> Make this longer, like 1h
>
> Thought what it was very well to set it like the openswan one, I mean:
>  Openswan:
> 	ikelifetime=2h
> 	keylife=8h
>  Cisco:
>        crypto isakmp policy 1
>          lifetime 7200
>        crypto ipsec security-association lifetime seconds 28800
> Must I really set this with the same values in the both side ?

No, you should set the cisco time shorter then the openswan times.
That way, openswan is ensured to keep the tunnel up while the cisco
decides to rekey. This is why I said to use 2h on openswan and 1h on
the cisco. It means the tunnel rekeys every hour, but openswan will
keep using existing tunnels for two hours - well before the rekey time
if the cisco.

Paul

More information about the Users mailing list