[strongSwan-dev] Connections deleted and no DPD

James Hulka jah at open.ch
Mon Aug 5 11:42:55 CEST 2013 

As further information it appears that both peers initiate an IKE_SA
simultaneously right before the the established and deleting messages
appear:

Aug  1 14:00:06 charon: 04[IKE] initiating Main Mode IKE_SA
A_eth0[94459] to B.B.B.B
Aug  1 14:00:06 charon: 15[IKE] B.B.B.B is initiating a Main Mode IKE_SA

Here we are using auto=start on both hosts (as previously discussed, we
are still reviewing the effects of moving setups to auto=route).

I am wondering if the mechanism for cleaning up colliding IKE_SA
creation in strongswan is preventing further attempts to establish the
tunnel because of the simultaneous deletes?

What is really puzzling here is not that the there is a collision or
that the deletes happen but that no further attempts to create the
tunnel are made (by either side).

thanks for any help you can offer,

James

On 08/05/2013 09:39 AM, James Hulka wrote:
> Hello Strongswan team,
> 
> I have encountered the following situation which I do not understand:
> 
> site2site VPN between 2 hosts on 2 separate lines
> 
> host A eth0 <-- --> host B eth0
> host A eth2 <-- --> host B eth2
> 
> normally both Tunnels are up and functioning however on the 1st of
> August the eth0 Tunnel went down and did not come back up. In syslog on
> both hosts I see the following:
> 
> Aug  1 14:00:07 charon: 09[IKE] IKE_SA A_eth0[94464] established between
> A.A.A.A [A.A.A.A] ... B.B.B.B [B.B.B.B]
> Aug  1 14:00:07 charon: 12[IKE] deleting IKE_SA A_eth0[94464] between
> A.A.A.A [A.A.A.A]... B.B.B.B [B.B.B.B]
> Aug  1 14:00:07 charon: 12[IKE] IKE_SA A_eth0[94459] established between
> A.A.A.A [A.A.A.A]... B.B.B.B [B.B.B.B]
> Aug  1 14:00:08 charon: 16[IKE] deleting IKE_SA A_eth0[94459] between
> A.A.A.A [A.A.A.A]... B.B.B.B [B.B.B.B]
> 
> After this point DPD never kicks in (syslog has no entries for this
> Tunnel), I assume this is because strongswan thinks the tunnel was
> removed on purpose. The tunnel remained down until it was added again by
> hand.
> 
> I am curious as to any ideas why the tunnel was removed and not
> re-initiated.
> 
> Thank you for any help,
> 
> James
>

More information about the Dev mailing list