[strongSwan] site-to-site vpn tunnel drops exactly every 6 hours : StrongSwan <-> Cisco ASA
Martin Willi
martin at strongswan.org
Mon Sep 23 15:21:44 CEST 2013
> Due to your unique policy and a limitation of our new IKEv1
> implementation, this leads to a problem: The uniqueness policy deletes
> the old ISAKMP during re-authentication before it can complete.
>
> This is a know issue, and I hope I'll find some time to fix this.
I've pushed a few changes to [1] that should fix the issue when
reauthenticating an IKE_SA having a keep or replace unique policy.
> I have tried this but end up with what appears to be multiple tunnels
> to the same endpoint after renegotiating the initial tunnel.
With IKEv1, overlapping ISAKMP are hard to avoid. We keep it in certain
situations (reauthentication) where deleting them explicitly can lead to
problems. The ISAKMP SA should get deleted once the hard lifetime times
out; having congruent rekeying parameters on both ends can certainly
help.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/ikev1-reauth
More information about the Users
mailing list