[strongSwan-dev] Traffic Loss observed strongswan with CISCO SGW as a peer

jegathesh malaiyappan mjegakathir at gmail.com
Mon Aug 12 16:51:32 CEST 2013

Hi All,

Strongswan version: *4.53. *

Strongswan            <--------------------------> CISCO SGW (CISCO SAMI)

Traffic loss observed *2-3* min when we using the IPSec lifetime 300S for
IKEv1 mode on the above setup.

*Child SA Life time = 300S*
*rekeymargin           =   180S*
*rekeyfuzz                 = 50%

Here, Child SA will be created once rekey time is expired in Strongswan
node and new child also updated to strongswan.

Now Strongswan will have two Child SA. One will be the state of

But CISCO SGW is only updating the INBOUD SA immediately and OUT will be
updated later.

There is no issue till strongswan is keep both OLD and New SA. Traffic will
flow as expected.

But, some rekeying period Strongswan node is only having EVENT_SA_REPLACE
and SGW still using the old OUTBOUD SA and downlink traffic is dropped in

Where could be problem ? Strongswan Node or CISCO SGW?

Is the following rekeying parameters OK for 300S life time?

*rekeymargin           =   180S*
*rekeyfuzz                 = 50%
*Why Strongswan node is not syncing for lower life time values with CISCO? *
* *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130812/d4a650f9/attachment.html>

More information about the Dev mailing list