cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
0
Replies

ikev1 l2l rekey issue

Tormod Macleod
Beginner
Beginner
Hello,
 
I'm having issues with an ikve1 l2l vpn connection between a strongswan instance behind a nat and a cisco asa. I have this problem in live and have been able to recreate it in a test environment.
 
After 75% of the phase 1 lifetime the cisco asa decides to initiate a rekey of the tunnel. ie when I set the phase 1 lifetime to 8 hours, the cisco asa initiates a rekey after 6 hours, when i set the phase 1 lifetime to 1 hour, the cisco asa initiates a rekey after 45 minutes.
 
The phase 1 rekey is immediately successful but the tunnel is torn down by DPD on the cisco asa around 15 seconds later. It looks to me like a problem with the cisco asa as I understood that the initiator (in this case the strongswan instance) should be the one that initiates the rekey. And even then, it shouldn't rekey until the phase 1 lifetime is expiring.
 
I've attached loads of config, logs, packet captures etc. (probably overkill). Please note that some clocks are GMT, others are BST.
 
Grateful for ANY help,
 
 
Tormod
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers