Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
0
Replies

ikev1 l2l rekey issue

Tormod Macleod
Level 1
Level 1

‎08-19-2015 06:55 AM

Hello,
 
I'm having issues with an ikve1 l2l vpn connection between a strongswan instance behind a nat and a cisco asa. I have this problem in live and have been able to recreate it in a test environment.
 
After 75% of the phase 1 lifetime the cisco asa decides to initiate a rekey of the tunnel. ie when I set the phase 1 lifetime to 8 hours, the cisco asa initiates a rekey after 6 hours, when i set the phase 1 lifetime to 1 hour, the cisco asa initiates a rekey after 45 minutes.
 
The phase 1 rekey is immediately successful but the tunnel is torn down by DPD on the cisco asa around 15 seconds later. It looks to me like a problem with the cisco asa as I understood that the initiator (in this case the strongswan instance) should be the one that initiates the rekey. And even then, it shouldn't rekey until the phase 1 lifetime is expiring.
 
I've attached loads of config, logs, packet captures etc. (probably overkill). Please note that some clocks are GMT, others are BST.
 
Grateful for ANY help,
 
 
Tormod
Labels:
Preview file
5 KB
Preview file
2 KB
Preview file
7 KB
Preview file
4 KB
packet-capture.zip
Preview file
2 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents