Странности ISA 2004 в IPSec site-to-site VPN с openswan

Две сети объединены через IPSec VPN между Openswan и MS ISA 2004 SP2, все работает замечательно, только настораживает факт: ISA сервер с нерегулярной периодичностью (от 2 до 10 минут) инициирует переустановку SA. Не уверен, что такое поведение адекватно.

На сервере с openswan:
x.x.x.x - внешний ip сервера с ISA
y.y.y.y - внешний ip сервера с openswan

> ipsec auto --status
000 #13: "isa-linnet":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3596s; newest IPSEC; eroute owner
000 #13: "isa-linnet" esp.ad96c4d9@x.x.x.x esp.48ebd331@y.y.y.y tun.0@x.x.x.x tun.0@y.y.y.y
000 #1: "isa-linnet":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 26839s; newest ISAKMP; nodpd
000 #12: "isanet-linnet":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3468s; newest IPSEC; eroute owner
000 #12: "isanet-linnet" esp.d1c9f443@x.x.x.x esp.3ba211c6@y.y.y.y tun.0@x.x.x.x tun.0@y.y.y.y
000 #10: "isanet-linnet":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3079s
000 #10: "isanet-linnet" esp.39818cf@x.x.x.x esp.4631f488@y.y.y.y tun.0@x.x.x.x tun.0@y.y.y.y


В логах openswan:
Aug  9 09:39:01 gateway pluto[9104]: "isa-linnet" #1: received Delete SA(0x2306d459) payload: deleting IPSEC State #8
Aug  9 09:39:01 gateway pluto[9104]: "isa-linnet" #1: received and ignored informational message
Aug  9 09:39:05 gateway pluto[9104]: "isanet-linnet" #10: responding to Quick Mode {msgid:8166efcd}
Aug  9 09:39:05 gateway pluto[9104]: "isanet-linnet" #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 09:39:05 gateway pluto[9104]: "isanet-linnet" #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 09:39:05 gateway pluto[9104]: "isanet-linnet" #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 09:39:05 gateway pluto[9104]: "isanet-linnet" #10: STATE_QUICK_R2: IPsec SA established {ESP=>0x039818cf <0x4631f488 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Aug  9 09:41:01 gateway pluto[9104]: "isa-linnet" #1: received Delete SA(0xa7bc892d) payload: deleting IPSEC State #9
Aug  9 09:41:01 gateway pluto[9104]: "isa-linnet" #1: received and ignored informational message
Aug  9 09:41:42 gateway pluto[9104]: "isa-linnet" #11: responding to Quick Mode {msgid:191454e0}
Aug  9 09:41:42 gateway pluto[9104]: "isa-linnet" #11: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 09:41:42 gateway pluto[9104]: "isa-linnet" #11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 09:41:42 gateway pluto[9104]: "isa-linnet" #11: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 09:41:42 gateway pluto[9104]: "isa-linnet" #11: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f08d5d3 <0xdd83dd6b xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Aug  9 09:45:34 gateway pluto[9104]: "isanet-linnet" #12: responding to Quick Mode {msgid:f5eb54fe}
Aug  9 09:45:34 gateway pluto[9104]: "isanet-linnet" #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 09:45:34 gateway pluto[9104]: "isanet-linnet" #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 09:45:34 gateway pluto[9104]: "isanet-linnet" #12: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 09:45:34 gateway pluto[9104]: "isanet-linnet" #12: STATE_QUICK_R2: IPsec SA established {ESP=>0xd1c9f443 <0x3ba211c6 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Aug  9 09:47:01 gateway pluto[9104]: "isa-linnet" #1: received Delete SA(0x4f08d5d3) payload: deleting IPSEC State #11
Aug  9 09:47:01 gateway pluto[9104]: "isa-linnet" #1: received and ignored informational message
Aug  9 09:47:42 gateway pluto[9104]: "isa-linnet" #13: responding to Quick Mode {msgid:b0447807}
Aug  9 09:47:42 gateway pluto[9104]: "isa-linnet" #13: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 09:47:42 gateway pluto[9104]: "isa-linnet" #13: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 09:47:42 gateway pluto[9104]: "isa-linnet" #13: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 09:47:42 gateway pluto[9104]: "isa-linnet" #13: STATE_QUICK_R2: IPsec SA established {ESP=>0xad96c4d9 <0x48ebd331 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

в конфиге openswan:
conn isanet-linnet
        leftsubnet=192.168.29.0/24
        also=isa-linnet

conn isa-linnet
        authby=secret
        esp=3des-sha1
        ike=3des-sha1-modp1024
        leftid=x.x.x.x
        left=x.x.x.x
        rightid=y.y.y.y
        right=y.y.y.y
	rightsubnet=10.0.0.0/8
        pfs=yes
        ikelifetime=8h
        keylife=1h
        rekey=no
        keyingtries=5
        auto=add


настройки на ISA:
IKE Phase I Parameters:
   Mode: Main mode
   Encryption: 3DES
   Integrity: SHA1
   Diffie-Hellman group: Group 2 (1024 bit)
   Authentication method: Pre-shared secret (xxx)
   Security Association lifetime: 28800 seconds 

IKE Phase II Parameters:
   Mode: ESP tunnel mode
   Encryption: 3DES
   Integrity: SHA1
   Perfect Forward Secrecy: ON
   Diffie-Hellman group: Group 2 (1024 bit)
   Time rekeying: ON
   Security Association lifetime: 3600 seconds 
   Kbyte rekeying: OFF

В логах ISA-сервера ничего необычного
rotaniliam2
(09.08.07 10:29:04 MSD)
Сообщения rotaniliam2

Странности ISA 2004 в IPSec site-to-site VPN с openswan
