[strongSwan] Windows 7 seems to drop connection when rekeying main mode SA's

Hans-Kristian Bakke hkbakke at gmail.com
Tue Jan 10 17:11:50 CET 2012

Thank you for your response

I have read that document and have more or less based my config on it.
I have a couple of questions though:

rekey is not mentioned in the X.509 example but is disabled in the
EAP-MSCHAP example. I have now reactivated rekey in my configuration
to test.

I have set reauth to no because it made my strongswan to strongswan
tunnel drop the connection for a short moment. It is not mentioned in
the Windows 7 configuration.
Will having it enabled (like in the config examples) cause drop outs
during IKE SA renegotiations like I get using only strongswan?

I now have rekey = on and reauth = on (default) to be as identical to
the example configuration as possible.
I will try using ! if it doesn't work, but in my case it will cause
issues because it will override the ike/esp parameters in my other
connections (older mailing list post, something to do with me having
%any as right in all my connections if I remember correctly)

When it happens again I will look at the logs. Do you want a
particular log level or will the Debian default charon syslog do?


Hans-Kristian Bakke

On Tue, Jan 10, 2012 at 15:32, Martin Willi <martin at strongswan.org> wrote:
> Hi,
>> After disabling rekeying for Windows 7 connection I got rid of most of
>> the reconnects caused by rekeying the SAs, but I still have one
>> annoying connection interruption left.
> When following the rules from [1], rekeying initiated by strongSwan
> works fine here.
>> But for some reason IP Security Monitor on Windows 7 reports 10800s as
>> main mode SA lifetime. Even if I change ikelifetime on the Strongswan
>> server to i.e 8 or 12h it is still 3h.
> I don't know if you can trust the IP Security Monitor, as it is mainly
> for IKEv1. Not sure if these 10800s are correct. Further, lifetimes are
> never negotiated in IKEv2, you can't change the behavior of Windows by
> defining an ikelifetime on strongSwan. It only changes the behavior of
> rekeying initiated locally.
>> Now, the problem isn't really the 3h interval, it's that all the
>> connections drop for a while until reconnect.
> Would be helpful to know exactly _what_ is happening every three hours.
> Does Windows trigger a rekey? Does it drop the CHILD_SA, close the
> IKE_SA? A strongSwan log output would be helpful.
>>         ike=aes256-sha1-modp1024
>>         esp=aes256-sha1
> I'd try to limit the proposal list to exactly these by appending a '!'.
> I'm not aware of any problems with our lengthy default proposal set, but
> just in case.
> Regards
> Martin
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavior

More information about the Users mailing list