[strongSwan] Windows 7 seems to drop connection when rekeying main mode SA's

Hans-Kristian Bakke hkbakke at gmail.com
Tue Jan 10 17:16:12 CET 2012

And one more thing:
The "Rekey"-document explains that the CHILD_SA rekey timer should be
more than 58m 46s if behind NAT and rekey active. This is the case in
my situation.
However, the configuration examples does not do anything to mitigate this.

When the connection is newly started I can see that Strongswan wants
to rekey CHILD_SA in about 48m (or around that).

Does this mean that I have to set the "lifetime" parameter for the
connection for i.e 90m (the default is 1h)


Hans-Kristian Bakke
Mob: 91 76 17 38

On Tue, Jan 10, 2012 at 17:11, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:
> Thank you for your response
> I have read that document and have more or less based my config on it.
> I have a couple of questions though:
> rekey is not mentioned in the X.509 example but is disabled in the
> EAP-MSCHAP example. I have now reactivated rekey in my configuration
> to test.
> I have set reauth to no because it made my strongswan to strongswan
> tunnel drop the connection for a short moment. It is not mentioned in
> the Windows 7 configuration.
> Will having it enabled (like in the config examples) cause drop outs
> during IKE SA renegotiations like I get using only strongswan?
> I now have rekey = on and reauth = on (default) to be as identical to
> the example configuration as possible.
> I will try using ! if it doesn't work, but in my case it will cause
> issues because it will override the ike/esp parameters in my other
> connections (older mailing list post, something to do with me having
> %any as right in all my connections if I remember correctly)
> When it happens again I will look at the logs. Do you want a
> particular log level or will the Debian default charon syslog do?
> Regards,
> Hans-Kristian Bakke
> On Tue, Jan 10, 2012 at 15:32, Martin Willi <martin at strongswan.org> wrote:
>> Hi,
>>> After disabling rekeying for Windows 7 connection I got rid of most of
>>> the reconnects caused by rekeying the SAs, but I still have one
>>> annoying connection interruption left.
>> When following the rules from [1], rekeying initiated by strongSwan
>> works fine here.
>>> But for some reason IP Security Monitor on Windows 7 reports 10800s as
>>> main mode SA lifetime. Even if I change ikelifetime on the Strongswan
>>> server to i.e 8 or 12h it is still 3h.
>> I don't know if you can trust the IP Security Monitor, as it is mainly
>> for IKEv1. Not sure if these 10800s are correct. Further, lifetimes are
>> never negotiated in IKEv2, you can't change the behavior of Windows by
>> defining an ikelifetime on strongSwan. It only changes the behavior of
>> rekeying initiated locally.
>>> Now, the problem isn't really the 3h interval, it's that all the
>>> connections drop for a while until reconnect.
>> Would be helpful to know exactly _what_ is happening every three hours.
>> Does Windows trigger a rekey? Does it drop the CHILD_SA, close the
>> IKE_SA? A strongSwan log output would be helpful.
>>>         ike=aes256-sha1-modp1024
>>>         esp=aes256-sha1
>> I'd try to limit the proposal list to exactly these by appending a '!'.
>> I'm not aware of any problems with our lengthy default proposal set, but
>> just in case.
>> Regards
>> Martin
>> [1]http://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavior

More information about the Users mailing list