SECURITY ASSOCIATION RENEWAL AFTER SALIFETIME/ IKELIFETIME EXPIRE

Solution Verified - Updated -

Issue

  • The ipsec tunnel's 'ikelifetime' expires before 'salifetime', where the Security Association Phase_2 refers to the expired Security Association Phase_1.

  • The configuration in production environment is with ikelifetime set higher than salifetime for both NODE_A and NODE_B.

    ikelifetime=43200
salifetime=1800

Environment

  • Red Hat Enterprise Linux 7.8
  • libreswan : 3.25-8.1.el7_7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content