ipsec ISAKMP-SA expired every 8 mins. (approximately)

ngoro · July 16, 2009, 12:58pm

Hi,
I use IPSEC VPN to link remote office with head one.
I noticed periodic ISAKMP-SA reestablishing (approximately 8 minutes):

16:03:01 ipsec begin Identity Protection mode. 
16:03:02 ipsec ISAKMP-SA established 192.168.1.1[500]-192.168.1.101[500] spi:eaa599886d365e8a:2eb058ac8ccb1124 
16:03:03 ipsec respond new phase 2 negotiation: 192.168.1.1[500]<=>192.168.1.101[500] 
16:03:04 ipsec IPsec-SA established: ESP/Tunnel 192.168.1.101[0]->192.168.1.1[0] spi=128147769(0x7a36139) 
16:03:04 ipsec IPsec-SA established: ESP/Tunnel 192.168.1.1[0]->192.168.1.101[0] spi=3694340472(0xdc332978) 

....

16:10:39 ipsec ISAKMP-SA expired 192.168.1.1[500]-192.168.1.101[500] spi:eaa599886d365e8a:2eb058ac8ccb1124 
16:10:40 ipsec ISAKMP-SA deleted 192.168.1.1[500]-192.168.1.101[500] spi:eaa599886d365e8a:2eb058ac8ccb1124 
16:10:40 ipsec respond new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.101[500] 
16:10:40 ipsec begin Identity Protection mode. 
.....

After several work hours several dozen installed SAs (in mature state) accumulates.

My configuration:
Main office: RB450G v3.26 Outer IP=192.168.1.1, serve 192.168.0.0/16 network
Remote office: Zyxel Prestige P334 as router IP=192.168.1.101, 2 computers (192.168.14.2, 192.168.14.3)

/ip ipsec policy print

Flags: X - disabled, D - dynamic, I - inactive 
 4   src-address=192.168.0.0/16:any dst-address=192.168.14.2/32:any protocol=all action=encrypt level=require 
     ipsec-protocols=esp tunnel=yes sa-src-address=192.168.1.1 sa-dst-address=192.168.1.101 proposal=default 
     priority=0 

 5   src-address=192.168.0.0/16:any dst-address=192.168.14.3/32:any protocol=all action=encrypt level=require 
     ipsec-protocols=esp tunnel=yes sa-src-address=192.168.1.1 sa-dst-address=192.168.1.101 proposal=default 
     priority=0

/ip ipsec peer print

 2   address=192.168.1.101/32:500 auth-method=pre-shared-key secret="top secret" generate-policy=no 
     exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=claim hash-algorithm=sha1 
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

/ip ipsec proposal print

Flags: X - disabled 
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=1d pfs-group=modp1024

Finally after about 7-8 hours we get 2-3 hundred active SAs appears and 100% processor loading

What’s wrong?

ngoro · July 17, 2009, 5:00am

When no two ways about it read manual

There are two lifetime values - soft and hard. When SA reaches it’s soft lifetime treshold, the IKE
daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one. If
SA reaches hard lifetime, it is discarded.

Obviously I observe so-called soft lifetime every 8 mins.