<div dir="ltr"><font color="#0000ff">Hi All, </font><div><font color="#0000ff"><br></font></div><div><font color="#0000ff">Strongswan version: <b>4.53. </b></font></div><div><font color="#0000ff"><br></font></div><div><font color="#0000ff">Setup:</font></div>
<div><font color="#0000ff">======</font></div><div><font color="#0000ff">Strongswan <--------------------------> CISCO SGW (</font><span style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:15px">CISCO SAMI) </span></div>
<div><font color="#0000ff"><br></font></div><div><font color="#0000ff"><br></font></div><div><font color="#0000ff">Traffic loss observed <b>2-3</b> min when we using the IPSec lifetime 300S for IKEv1 mode on the above setup. </font></div>
<div><font color="#0000ff"><br></font></div><div><font color="#0000ff"><br></font></div><div><font color="#0000ff"><b>Child SA Life time = 300S</b></font></div><div><span style="font-family:Calibri;font-size:15px"><font color="#0000ff"><b>rekeymargin = 180S</b></font></span></div>
<div><font color="#0000ff"><b><span style="font-family:Calibri;font-size:15px">rekeyfuzz = 50%</span><br></b></font></div><div><span style="font-family:Calibri;font-size:15px"><font color="#0000ff"><br></font></span></div>
<div><font color="#0000ff"><div><font face="Calibri"><span style="font-size:15px">Here, Child SA will be created once rekey time is expired in Strongswan node and new child also updated to strongswan. </span></font></div>
<div><font face="Calibri"><span style="font-size:15px"> </span></font></div><div><font face="Calibri"><span style="font-size:15px">Now Strongswan will have two Child SA. One will be the state of EVENT_SA_EXPIRE & EVENT_SA_REPLACE.</span></font></div>
<div><font face="Calibri"><span style="font-size:15px"> </span></font></div><div><font face="Calibri"><span style="font-size:15px">But CISCO SGW is only updating the INBOUD SA immediately and OUT will be updated later.</span></font></div>
<div><font face="Calibri"><span style="font-size:15px"> </span></font></div><div><font face="Calibri"><span style="font-size:15px">There is no issue till strongswan is keep both OLD and New SA. Traffic will flow as expected. </span></font></div>
<div><font face="Calibri"><span style="font-size:15px"> </span></font></div><div><font face="Calibri"><span style="font-size:15px">But, some rekeying period Strongswan node is only having EVENT_SA_REPLACE and SGW still using the old OUTBOUD SA and downlink traffic is dropped in strongswan. </span></font></div>
<div><font face="Calibri"><span style="font-size:15px"><br></span></font></div><div><br></div><div><font face="Calibri"><span style="font-size:15px">Where could be problem ? Strongswan Node or CISCO SGW?</span></font></div>
<div><font face="Calibri"><span style="font-size:15px"><br></span></font></div><div><font face="Calibri"><span style="font-size:15px">Is the following rekeying parameters OK for 300S life time? </span></font></div><div><font face="Calibri"><span style="font-size:15px"><br>
</span></font></div><div><div style="color:rgb(34,34,34)"><span style="font-family:Calibri;font-size:15px"><font color="#0000ff"><b>rekeymargin = 180S</b></font></span></div><div style="color:rgb(34,34,34)"><font color="#0000ff"><b><span style="font-family:Calibri;font-size:15px">rekeyfuzz = 50%</span><br>
</b></font></div></div><div><font color="#0000ff"><b><span style="font-family:Calibri;font-size:15px"><br></span></b></font></div><div><font color="#0000ff"><b><font face="Calibri"><span style="font-size:15px">Why Strongswan node is not syncing for lower life time values with CISCO? </span></font></b></font></div>
<div><font color="#0000ff"><b><font face="Calibri"><span style="font-size:15px"> </span></font></b></font></div></font></div><div><font color="#0000ff">-- <br></font><div><font color="#0000ff">By</font></div><font color="#0000ff">Jegathesh,<br>
<br></font></div></div>