[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] ikev1 cisco l2l issue
From: Noel Kuntze <noel () familie-kuntze ! de>
Date: 2015-08-22 0:51:57
Message-ID: 55D7C7AD.9020608 () familie-kuntze ! de
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Tormod,
> The phase 1 rekey is immediately successful but the tunnel is torn down by DPD on \
> the cisco asa around 15 seconds later. It looks to me like a problem with the cisco \
> asa as I understood that the initiator (in this case the strongswan instance) \
> should be the one that initiates the rekey. And even then, it shouldn't rekey until \
> the phase 1 lifetime is expiring. I thought I'd mail my problem to this list in the \
> hope that someone might offer some advice. Hopefully I'm just doing something \
> stupid.
Any side can initiate a rekey event. Try increasing the DPD timeout on the ASA to be \
3x higher than the dpddelay setting of strongSwan.
> dpdtimeout=10s
> dpddelay=10s
That doesn't make any sense. Sane values are dpddelay=5s and dpdtimeout=15s, so dpd \
times out after three packets or 15 seconds without answer to a DPD packet.
You should match that setting to the value in the cisco config:
> isakmp keepalive threshold 10 retry 3
- --
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV18eqAAoJEDg5KY9j7GZYm2kP/RS1mnKzj4DmpUVLY7+QgP5S
P8Rz6y5EIBLuv+8Tdi40jZx7Ydq1bgxROEk5heVIhQaXYWWQmP+37qumWyY0rOtu
YBfqJYWCdyhUdehRiCiwSSAzv3W2uiA+dNvOnufwNhg97gR7PYsESnOMAYDXPAEr
0rP/e6VF6I79KrXN5lBwx4SrH674L6s+NJEdYDFXMjEaxAsKBUoUKy9dhaVDr43i
PwiFe4sOxvK7o3ckgQpN0DTMG0EoGl3DMiMP8ycAGBmifYdfmNHtz/uhZGYn4Onn
sK/F6LMElWONeGrR9g2jkpkdGat0/V0bSMUp65bYjjmclw+h3X4UgqdLeZ15WD+c
FInLXeX7i1HLEzMQrT9JyBYrIxlZfa6FkYUDof1VkNrGcKkCl5V79i1TRJlz3cj1
x58O3o6O43OmXqt9xFHGIrh3j9/wEWXz+K58ZiqLGAOl2XXZVSky9U3Qd5uONTlV
k/3Py6LaqdMMS6idGdwvNgHLMXR5O/f6n4nI7OXxj8qP0049jEKTGd+3ldCJtTtJ
tQhd4uGVTbswFR4hJvWpRWouMM6PCpwtIaOV57tuBL70sZ+C5ItnBeDuQp2ptkCJ
xoJR5R3QIhiS9gwj2KV8/Aj5gM6/PJRaFpSTgrbTou1ZS6chTIm60fFkuwYJOeNc
90NfQTnOuptCCISnMeFT
=zcAl
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic