IKEd, rising SAD count and DPD

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

IKEd, rising SAD count and DPD

Kim Zeitler
I have iked running connecting to a Fortigate FW.

Running 'ipsecctl -s a' gives me the correct flows, but a rising number
of SADs. The tunnel has been up 5 days and I got 212 SADs installed.

Do I need to set up some kind of dpd to have the old SADs pulled down,
or is my error, that ikelifetime and lifetime are not in seconds?

#cat /etc/iked.conf
ikev2 "h" active esp \
         from $k_dev to $h_server \
         from $k_server to $h_dev \
         peer $h_gw \
         ikesa auth hmac-sha2-256 \
         enc aes-256 \
         group modp1536 \
         childsa auth hmac-sha2-256 \
         enc aes-256 \
         group modp1536 \
         srcid '' \
         ikelifetime 28800 \
         lifetime 14400 \
         psk 'Some nice long hash'