<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
Thank you all for responding. In my case, I don't think it was
related to having mulitple child SAs per connection. Most of my
connections do, but I found at least one case with only one child
SA, where the problem was present. In any case, I followed Tom's and
Noel's advice and set <br>
<br>
auto = route<br>
dpdaction = clear<br>
<br>
and that seems to have solved the issue. Thanks again.<br>
<br>
Best regards,<br>
Martijn Grendelman<br>
<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Op 8-3-2018 om 11:46 schreef Noel
Kuntze:<br>
</div>
<blockquote type="cite"
cite="mid:a7966d1f1e55ce08341989c024c698e0,46df0d5e-ef0b-83ec-9bf7-71f5563cae79@thermi.consulting">
<pre wrap="">Hi,
That's because charon doesn't reestablish tunnels in any case, like pluto did. Use auto=route, instead of auto=start.
An example of such a case is if the other peer deletes the iKE SA or CHILD SA without establishing a new one at the same time.
You can have different IKE SAs for CHILD_SAs by setting the strongswan.conf option charon.reuse_ikesa to 0.
</pre>
<blockquote type="cite">
<pre wrap=""> charon.reuse_ikesa [yes]
Initiate CHILD_SA within existing IKE_SAs (always enabled for
IKEv1).
</pre>
</blockquote>
<pre wrap="">
Kind regards
Noel
On 07.03.2018 22:20, Justin Pryzby wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, Mar 07, 2018 at 10:52:54AM +0100, Martijn Grendelman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)
for a long time.
</pre>
</blockquote>
<pre wrap="">[...]
</pre>
<blockquote type="cite">
<pre wrap="">Last week, I upgraded the system to Debian Stretch (with StrongSwan
5.5.1), and since then, a number of tunnels (but not all of them) have
stability issues. The issue appears to be that CHILD_SA's are not
established when needed,
</pre>
</blockquote>
<pre wrap="">Maybe you know that in 5.0, IKEv1 was integrated into charon and separate pluto
daemon was retired:
<a class="moz-txt-link-freetext" href="https://www.strongswan.org/blog/2012/07/02/strongswan-5.0.0-released.html">https://www.strongswan.org/blog/2012/07/02/strongswan-5.0.0-released.html</a>
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1">https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1</a>
<a class="moz-txt-link-freetext" href="https://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html">https://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html</a>
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/500">https://wiki.strongswan.org/projects/strongswan/wiki/500</a>
Just wondering: are all the tunnels with issues have multiple child SAs (or,
the tunnels without issues all have only one child SA).
I recently reported an issue here, also related to a migration/update from 4.5,
and started to suspect that multiple child SAs may be involved..
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/issues/2535">https://wiki.strongswan.org/issues/2535</a>
Note, I believe swanctl.conf allows configuring child SAs to use separate IKEs
- avoiding the non-configurable behavior in starter+ipsec.conf: "added child to
existing configuration". However that doesn't work for everyone(us) due to
unique policy on remote peers.
Justin
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<div id="Signature">
<table cellspacing="0" cellpadding="0" width="550" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY: Tahoma, Geneva,
sans-serif; COLOR: #666666" align="left">
Met vriendelijke groet, <br>
Kind regards, </td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 20px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="20">
<img style="display: block; user-select: none;"
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="20" width="1"></td>
</tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" width="550"
border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 75px; WIDTH:
75px; MARGIN: 0px; LINE-HEIGHT: 0px"
valign="top" height="75" width="75">
<a href="mailto:martijn.grendelman@isaac.nl"
id="LPNoLP"><img title="Martijn"
style="display: block; user-select: none;"
alt="Martijn"
src="cid:part2.D00C00B7.124668EE@isaac.nl"
height="75" width="75" border="0"></a></td>
<td style="FONT-SIZE: 0px; WIDTH: 20px;
MARGIN:0px; LINE-HEIGHT: 0px" width="20"> <img
style="display: block; user-select: none;"
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="1" width="20"></td>
<td valign="top" align="left">
<table cellspacing="0" cellpadding="0"
width="455" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 21px;
MARGIN: 0px; LINE-HEIGHT: 0px"
height="21">
<img style="display: block;
user-select: none;"
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="21" width="1"></td>
</tr>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY:
Tahoma, Geneva, sans-serif; COLOR:
#666666; LINE-HEIGHT: 16px"
align="left">
<span style="FONT-SIZE: 14px;
FONT-WEIGHT: bold; COLOR: #000000">Martijn
Grendelman</span> <span
style="FONT-SIZE: 14px; FONT-WEIGHT:
bold; COLOR: #0099cc">Infrastructure
Architect</span> <span
style="COLOR:#999999">
</span><br>
T: +31 (0)40 264 94 44 </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 16px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="16">
<img style="display: block; user-select: none;"
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="16" width="1"></td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 1px; MARGIN: 0px;
LINE-HEIGHT: 0px" bgcolor="#e5e5e5">
<img style="display: block; user-select: none;" alt=""
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="1" width="1" border="0"></td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 16px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="16">
<img style="display: block; user-select: none;"
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="16" width="1"></td>
</tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" width="550"
border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 33px; WIDTH:
75px; MARGIN: 0px; LINE-HEIGHT: 0px"
valign="top" height="33" width="75">
<a href="https://www.isaac.nl" target="_blank"
id="LPNoLP"><img title="ISAAC"
style="display: block; user-select: none;"
alt="ISAAC"
src="cid:part9.0E36FD97.A44452CC@isaac.nl"
height="33" width="75" border="0"></a></td>
<td style="FONT-SIZE: 0px; WIDTH: 20px; MARGIN:
0px; LINE-HEIGHT: 0px" width="20">
<img style="display: block; user-select:
none;"
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="1" width="20"></td>
<td valign="top" align="left">
<table cellspacing="0" cellpadding="0"
width="455" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY:
Tahoma, Geneva, sans-serif; COLOR:
#666666; LINE-HEIGHT: 16px"
align="left">
Marconilaan 16 5621 AA
Eindhoven The Netherlands<br>
T: +31 (0)40 290 89 79 <a
style="TEXT-DECORATION: none; COLOR:
#666666" href="https://www.isaac.nl"
target="_blank" id="LPNoLP"><font
color="#666666">www.isaac.nl</font></a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 40px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="40">
<img style="display: block; user-select: none;"
src="cid:part1.48BC9A2C.E456C410@isaac.nl"
height="40" width="1"></td>
<!-- https://outlookimages.isaac.nl/sig/pix.gif -->
</tr>
<tr>
<td style="FONT-SIZE: 10px; FONT-FAMILY: Tahoma, Geneva,
sans-serif; COLOR: #cccccc; LINE-HEIGHT: 13px"
valign="top" align="left">
Dit e-mail bericht is alleen bestemd voor de
geadresseerde(n). Indien dit bericht niet voor u is
bedoeld wordt u verzocht de afzender hiervan op de
hoogte te stellen door het bericht te retourneren en
de inhoud niet te gebruiken. Aan dit bericht kunnen
geen rechten worden ontleend.</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</body>
</html>