Hello everybody,

I have a Cisco C888EA-K9 behind a 4G router initiating a IPSec VPN tunnel to a Strongswan server.

The Cisco is the initiator because of the 4G router's IP changing regularly.
I set up IP SLA to keep the tunnel up.
The problem is that the tunnel goes up and down very regularly, like 3h10 up then 50min down, each cycle is precisely 4h (with the first parameters I set up).

Already checked the 4G connection, up 100% of the time.

This makes me think about the lifetime of Phase1 and 2.

At first it was
Phase 1 : Strongswan 24h and cisco 4h
Phase 2 : Strongswan 1h and cisco 1h
I tested a lot a combination of time without success.

At the moment, I even disabled reauth and rekeying on strongswan, letting the cisco the freedom of Phase 1/2 renegociation with theese lifetimes : P1 2h / P2 1h, but same problem.

I don't manage to understand the problem here, can someone help me ?
Here are my configurations :

Strongswan :

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn ciscoios
        authby=secret
        keyexchange=ikev1
        ike=aes128-sha256-modp2048
        esp=aes128-sha256
        left=<IP>
        leftid=<IP>
        leftsubnet=<SUBNET>
        leftfirewall=yes
        right=%any
        rightid=%any
        rightsubnet=<SUBNET>
        auto=add
     	ikelifetime=1440m
        keyingtries=5
        lifetime=1h
        margintime=10m
        rekeyfuzz=0%
        rekey=no
        reauth=no

Cisco 888 :

crypto isakmp policy 1
 encr aes
 hash sha256
 authentication pre-share
 group 14
 lifetime 7200
crypto isakmp key <PSK> address <SERVER IP>
crypto isakmp keepalive 30 10 periodic
!
crypto ipsec security-association lifetime seconds 3600
!
crypto ipsec transform-set trset1 esp-aes esp-sha256-hmac 
 mode tunnel
!
crypto map crymap1 10 ipsec-isakmp 
 set peer <SERVER IP>
 set transform-set trset1 
 match address 105

A graph of the tunnel up/down (you can see my different tests of lifetimes today) :