marsboer wrote:
train_wreck wrote:
I wonder if I could set a slightly lower lifetime on the ERL than the TP-Link? That way the ERL would always expire & rekey the SA first?Yes, that would work. But if I were you I would try to increase (and set the ikelifetime to a very low interval on the TP link to trigger rekey often) the logging to see exactly what the edgerouter is not happy with before turning to this quite "hacky" workaround. The base issue can probably be corrected to avoid triggering the bug.
I'm not really sure there's more info to be gained, other than the swanctl output I posted..... plus it's pretty much a confirmed bug. Strongswan's already patched it, it's UBNT's responsibility to update it.
And the crash has started happening much more frequently now that I have configured L2TP remote access tunnels; Strongswan is crashing several times a day, particularly when Android clients attempt a re-key. I gave up for the time being and moved back to the Cisco. It doesn't deliver the full NAT throughput of my AT&T fiber connection, but the VPN on it actually, you know, works.
Image may be NSFW.
Clik here to view.
