Mon Aug 10, 2015 3:28 pm
Ok, thanks for the info.
I checked that and RouterOs tried to renew phase 2 SAs when the SAs had 24 minutes remaining of lifetime. 30 minutes remaining it's 75% so it seems to be ok.
The problem it's the other router (Mcaffe firewall) has the soft rekeying at its 85% of SA timeout, so my rekey at around 75% it's not allowed. And the hard rekey when the timeout arrives on RouterOS don't works because the other router detects the phase 2 as expired and the phase 1 it's droped too.
At that moment the phase 1 on RouterOs it's renegotiated and RouterOS sees it as ok, but the Mcafee don't shows nothing on phase 1. And obviously the tries of the RouterOs to set a phase 2 are always wrong due to the inexistence of the phase 1 on mcafee.