02-13-2018 08:44 AM - edited 03-12-2019 05:01 AM
Hello,
We have an IPsec VPN on Cisco ASA 9.6(2) and it keeps dropping after 8 hours.
The other end is using Strong Swan. We have checked the phase 1 and phase 2 settings at both ends and they look ok.
Please see the attached logs and the phase 1 and phase 2 settings from cisco asa.
Any help will be much appreciated.
02-13-2018 12:49 PM
8 hours is the default lifetime for the Phase 2 tunnel. It could be possible that the rekey process, which is supposed to take place before that 8 hour time comes about, is failing with Strongswan.
There seems to have been an issue with Strongswan more than a year ago as detailed on this link:
https://wiki.strongswan.org/issues/1293
You might want to run the following debugs on the ASA some time before the 8 hour time period to get some more info on what is failing:
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
02-14-2018 02:18 AM
02-22-2018 03:46 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide