[strongSwan] Windows 7 seems to drop connection when rekeying main mode SA's

[Martin Willi]

Hi,

> After disabling rekeying for Windows 7 connection I got rid of most of
> the reconnects caused by rekeying the SAs, but I still have one
> annoying connection interruption left.

When following the rules from [1], rekeying initiated by strongSwan
works fine here.

> But for some reason IP Security Monitor on Windows 7 reports 10800s as
> main mode SA lifetime. Even if I change ikelifetime on the Strongswan
> server to i.e 8 or 12h it is still 3h.

I don't know if you can trust the IP Security Monitor, as it is mainly
for IKEv1. Not sure if these 10800s are correct. Further, lifetimes are
never negotiated in IKEv2, you can't change the behavior of Windows by
defining an ikelifetime on strongSwan. It only changes the behavior of
rekeying initiated locally.

> Now, the problem isn't really the 3h interval, it's that all the
> connections drop for a while until reconnect.

Would be helpful to know exactly _what_ is happening every three hours.
Does Windows trigger a rekey? Does it drop the CHILD_SA, close the
IKE_SA? A strongSwan log output would be helpful.

>         ike=aes256-sha1-modp1024
>         esp=aes256-sha1

I'd try to limit the proposal list to exactly these by appending a '!'.
I'm not aware of any problems with our lengthy default proposal set, but
just in case.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavior