[Openswan Users] Question about keylives and Opportunistic Encryption (not related)

Nick Howitt n1ck.h0w1tt at gmail.com
Sat Nov 17 12:43:11 EST 2012


Reading the docs and trying to compare the parameters with my DrayTek 
2930 I've got myself confused. The DrayTek has two parameters, "IKE 
phase 1 key lifetime" and "IKE phase 2 key lifetime". "IKE phase 1 key 
lifetime" is set to 28800s and "IKE phase 2 key lifetime" to 3600s. 
Reading the man pages, ikelifetime appears to refer to the ISAKMP SA. 
Since this is negotiated first I assume this is equivalent to "IKE phase 
1 key lifetime" and therefore "IKE phase 2 key lifetime" is equivalent 
to salifetime. I've had the two Openswan parameters at default for years 
without issue which means they mismatch. I have recently tried setting 
ikelifetime to 28800s salifetime to 3600s to get them to match and I'm 
repeatedly seeing this in my logs:

Nov 17 16:20:02: pending Quick Mode with "MumIn" took too 
long -- replacing phase 1
Nov 17 16:20:02: "MumIn": terminating SAs using this connection
Nov 17 16:20:02: "MumIn" #3273: deleting state (STATE_QUICK_R2)
Nov 17 16:20:02: "MumIn" #3272: deleting state (STATE_MAIN_R3)
Nov 17 16:20:02: "MumIn" #3271: deleting state (STATE_MAIN_I1)
Nov 17 16:20:02: "MumIn" #3274: initiating Main Mode

Going back to the default values clears the error. Can anyone please 
clarify how I should match Openswan and the Draytek? Note that Openswan 
is set to rekey=no and auto=add as the DrayTek is set to dial-out only.

As a completely separate question, from which version is OE turned off 
by default. I can't see anything obvious in the change logs.

I am running Openswan 2.6.38 on ClearOS 6.3



More information about the Users mailing list