[Openswan Users] Question about keylives and Opportunistic Encryption (not related)
n1ck.h0w1tt at gmail.com
Sat Nov 17 12:43:11 EST 2012
Reading the docs and trying to compare the parameters with my DrayTek
2930 I've got myself confused. The DrayTek has two parameters, "IKE
phase 1 key lifetime" and "IKE phase 2 key lifetime". "IKE phase 1 key
lifetime" is set to 28800s and "IKE phase 2 key lifetime" to 3600s.
Reading the man pages, ikelifetime appears to refer to the ISAKMP SA.
Since this is negotiated first I assume this is equivalent to "IKE phase
1 key lifetime" and therefore "IKE phase 2 key lifetime" is equivalent
to salifetime. I've had the two Openswan parameters at default for years
without issue which means they mismatch. I have recently tried setting
ikelifetime to 28800s salifetime to 3600s to get them to match and I'm
repeatedly seeing this in my logs:
Nov 17 16:20:02: pending Quick Mode with 220.127.116.11 "MumIn" took too
long -- replacing phase 1
Nov 17 16:20:02: "MumIn": terminating SAs using this connection
Nov 17 16:20:02: "MumIn" #3273: deleting state (STATE_QUICK_R2)
Nov 17 16:20:02: "MumIn" #3272: deleting state (STATE_MAIN_R3)
Nov 17 16:20:02: "MumIn" #3271: deleting state (STATE_MAIN_I1)
Nov 17 16:20:02: "MumIn" #3274: initiating Main Mode
Going back to the default values clears the error. Can anyone please
clarify how I should match Openswan and the Draytek? Note that Openswan
is set to rekey=no and auto=add as the DrayTek is set to dial-out only.
As a completely separate question, from which version is OE turned off
by default. I can't see anything obvious in the change logs.
I am running Openswan 2.6.38 on ClearOS 6.3
More information about the Users