IPsec Phase 2 Before Phase 1 On SA Renewal?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
IPsec Phase 2 Before Phase 1 On SA Renewal?
I have my IPsec LAN-to-LAN setup and running. I have both sides set up identical (Proposal, Exchange Mode, DPD, SA Lifetimes, etc) with one side Initiator and the other Responder. I notice in the logs that the IPsec phase 2 appears to happen before start of negotiation and also phase 1. I assumed it would go: negotiation start, then phase 1 and then phase 2.
Is this the way it is supposed to be (so tunnel doesn't go down completely before expiration or something else....?)?
Initiator side log:
| 10 | 2021-01-01 16:02:29 | IPsec | NOTICE | WAN2: Phase 1 of IKE negotiation succeeded. |
| 11 | 2021-01-01 16:02:28 | IPsec | NOTICE | WAN2: IKE negotiation began in initiator mode. (Mode=Main Mode) |
| 12 | 2021-01-01 16:02:28 | IPsec | WARNING | WAN2: Lifetime of the SA created in phase 1 of IKE negotiation expired. |
| 13 | 2021-01-01 16:02:14 | IPsec | NOTICE | WAN2: Phase 2 of IKE negotiation succeeded. |
And the Responder side log:
| 40 | 2021-01-01 16:02:29 | IPsec | NOTICE | WAN1: Phase 1 of IKE negotiation succeeded. |
| 41 | 2021-01-01 16:02:29 | IPsec | NOTICE | WAN1: IKE negotiation began in responder mode. (Mode=Main Mode) |
| 42 | 2021-01-01 16:02:14 | IPsec | NOTICE | WAN1: Phase 2 of IKE negotiation succeeded. |