IKEd, rising SAD count and DPD

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

IKEd, rising SAD count and DPD

Kim Zeitler
Hello
I have iked running connecting to a Fortigate FW.

Running 'ipsecctl -s a' gives me the correct flows, but a rising number
of SADs. The tunnel has been up 5 days and I got 212 SADs installed.

Do I need to set up some kind of dpd to have the old SADs pulled down,
or is my error, that ikelifetime and lifetime are not in seconds?


#cat /etc/iked.conf
...
ikev2 "h" active esp \
         from $k_dev to $h_server \
         from $k_server to $h_dev \
         peer $h_gw \
         ikesa auth hmac-sha2-256 \
         enc aes-256 \
         group modp1536 \
         childsa auth hmac-sha2-256 \
         enc aes-256 \
         group modp1536 \
         srcid '80.80.80.80' \
         ikelifetime 28800 \
         lifetime 14400 \
         psk 'Some nice long hash'
...

Cheers,
Kim