[strongSwan] ikev1 cisco l2l issue

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tormod,

> The phase 1 rekey is immediately successful but the tunnel is torn down by DPD on the cisco asa around 15 seconds later. It looks to me like a problem with the cisco asa as I understood that the initiator (in this case the strongswan instance) should be the one that initiates the rekey. And even then, it shouldn't rekey until the phase 1 lifetime is expiring. I thought I'd mail my problem to this list in the hope that someone might offer some advice. Hopefully I'm just doing something stupid.
> 
Any side can initiate a rekey event. Try increasing the DPD timeout on the ASA to be 3x higher than the dpddelay setting of strongSwan.

> dpdtimeout=10s
> dpddelay=10s

That doesn't make any sense. Sane values are dpddelay=5s and dpdtimeout=15s, so dpd times out after three packets or 15
seconds without answer to a DPD packet.

You should match that setting to the value in the cisco config:
>  isakmp keepalive threshold 10 retry 3

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV18eqAAoJEDg5KY9j7GZYm2kP/RS1mnKzj4DmpUVLY7+QgP5S
P8Rz6y5EIBLuv+8Tdi40jZx7Ydq1bgxROEk5heVIhQaXYWWQmP+37qumWyY0rOtu
YBfqJYWCdyhUdehRiCiwSSAzv3W2uiA+dNvOnufwNhg97gR7PYsESnOMAYDXPAEr
0rP/e6VF6I79KrXN5lBwx4SrH674L6s+NJEdYDFXMjEaxAsKBUoUKy9dhaVDr43i
PwiFe4sOxvK7o3ckgQpN0DTMG0EoGl3DMiMP8ycAGBmifYdfmNHtz/uhZGYn4Onn
sK/F6LMElWONeGrR9g2jkpkdGat0/V0bSMUp65bYjjmclw+h3X4UgqdLeZ15WD+c
FInLXeX7i1HLEzMQrT9JyBYrIxlZfa6FkYUDof1VkNrGcKkCl5V79i1TRJlz3cj1
x58O3o6O43OmXqt9xFHGIrh3j9/wEWXz+K58ZiqLGAOl2XXZVSky9U3Qd5uONTlV
k/3Py6LaqdMMS6idGdwvNgHLMXR5O/f6n4nI7OXxj8qP0049jEKTGd+3ldCJtTtJ
tQhd4uGVTbswFR4hJvWpRWouMM6PCpwtIaOV57tuBL70sZ+C5ItnBeDuQp2ptkCJ
xoJR5R3QIhiS9gwj2KV8/Aj5gM6/PJRaFpSTgrbTou1ZS6chTIm60fFkuwYJOeNc
90NfQTnOuptCCISnMeFT
=zcAl
-----END PGP SIGNATURE-----