<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Courier New" size="2"><span style="font-size:9pt;">
<div>Hi List,</div>
<div> </div>
<div>I’ve searched the archives and haven’t so far come across a similar case to mine afaics.</div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"> </span></font></div>
<div>I have StrongSWAN in AWS (Linux strongSwan U5.1.2/K3.13.0-48-generic) and a Cisco ASA on premise (I’ll get the config and exact ASA spec in the morning but it’s running upwards of v9). Everything is fine until the first rekey time (1h in my case), then
it will recreate the AS’es every ~ 3 minutes with:</div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"> </span></font></div>
<div>---- 8< ----</div>
<div>Sep 3 09:05:13 strongswan-prod charon: 06[IKE] giving up after 5 retransmits</div>
<div>Sep 3 09:05:13 strongswan-prod charon: 06[IKE] restarting CHILD_SA aws-2-onprem</div>
<div>---- 8< ----</div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"> </span></font></div>
<div>The tunnels re-establish immediately with no issues, the problem is just it keeps doing it every 3 minutes which causes havoc for ssh connections (the Windows guys just moan a bit :-).</div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"> </span></font></div>
<div>My workaround for now will be to set the lifetime to 24h and do “ipsec restart” from cron once a day but it’s not very elegant. Has anyone seen anything like this with Cisco ASA?</div>
<div> </div>
<div>ipsec.conf:</div>
<div>---- 8< ----</div>
<div>conn aws-2-onprem</div>
<div> keyexchange=ikev2</div>
<div> ike=aes256-sha1-modp1024</div>
<div> esp=aes256-sha1-modp1024 <-- pfs is off ASA side</div>
<div> left=%defaultroute</div>
<div> leftid=<left ip></div>
<div> leftsubnet=<local subnets></div>
<div> right=<right ip></div>
<div> rightsubnet=<remote subnets></div>
<div> dpdaction=restart <-- initially thought DPD might be a problem with ASA</div>
<div> # dpdaction=none <-- tried this, bad idea in my case: no tunnels after rekey</div>
<div> dpddelay=0 <-- and tried this</div>
<div> auto=start</div>
<div> reauth=no <-- and tried this in the hope it wouldn’t delete the SA’s, no luck</div>
<div> keylife=1d <-- last thing is to make rekey time a whole day and ipsec restart once a day</div>
<div>---- 8< ----</div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"> </span></font></div>
<div>Any ideas?</div>
<div> </div>
<div>Many thanks!</div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"> </span></font></div>
<div><font face="Calibri">--</font></div>
<div>Willem Roos</div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"><a href="mailto:wroos@shoprite.co.za"><font face="Courier New" size="2" color="#0563C1"><span style="font-size:9pt;"><u>wroos@shoprite.co.za</u></span></font></a><font face="Courier New" size="2"><span style="font-size:9pt;">
(+27 21 980 4941, +27 83 703 9310)</span></font></span></font></div>
<div> </div>
<div><font face="Calibri" size="2"><span style="font-size:11pt;"> </span></font></div>
<div><font face="Times New Roman" size="3"><span style="font-size:12pt;"><br>
<br>
<br>
<br>
<font face="Arial" size="1"><span style="font-size:7.5pt;">Disclaimer:<br>
</span></font><a href="http://www.shopriteholdings.co.za/Pages/ShopriteE-mailDisclaimer.aspx"><font face="Arial" size="1" color="blue"><span style="font-size:7.5pt;"><u>http://www.shopriteholdings.co.za/Pages/ShopriteE-mailDisclaimer.aspx</u></span></font></a><font face="Arial" size="1"><span style="font-size:7.5pt;">
</span></font></span></font></div>
</span></font>
</body>
</html>