[strongSwan-dev] Issues: Strongswan 5.3.3 with Kernel 2.6.32-573

Vinay G. Pullela vpullela at parallelwireless.com
Wed Sep 27 17:41:28 CEST 2017 

Hi Experts,

I am using Strongswan 5.3.3 with Kernel 2.6.32-573, the issues I am facing are below.
Note : We have Two identical System connect using StrongSwan HA for IKE/IPSEC redundancy. StrongSwan does not give any errors for state and policy installation.

Problem 1. When the Strongswan Installs Trap for HA-Tunnel, the Trap is not triggered back to Strongswan by Kernel till 5-to15 Mins interval. The interval is random but never less them 5 mins. The Heart-Beat is at 5 Mins Interval. Once the Tunnel comes up the HA-messages flow and the icmp packets are going in the Tunnel without any problems. Why are we getting the Trigger after 5Mins.

Time Flow:
t0s : Trap installed and SEGMENT_DROP is Pushed
t1: (t0+30Sec): HA_RESYNC is Pushed.
t2: (t1+5min): Heart-Beat is pushed.
t3: (t2+0Sec): Trap trigger received and the HA-Tunnel comes up.

Problem2: When the Strongswan Installs Trap for HA-Tunnel and the Trigger is not received from Kernel, we do ping to peer HA-Tunnel interface, HA-Tunnel comes up, but the HA-Messages on port 4510 (HA-Port) is not Pushed out of the System, the ipsec bytes_o are not incremented.

Time Flow:
t0s : Trap installed and SEGMENT_DROP is Pushed
t1: (t0+5Sec): Ping to the peer HA-interface, the HA-Tunnel comes up.
t2: (t1+25Sec): HA_RESYNC is Pushed from Strongswan, but not out of the local interface.
t3: (t2+5/15Mins): HA-Messages Starts Flowing.

Problem3: When the Strongswan Installs Trap for HA-Tunnel and the Trigger is not received from Kernel, we do ipsec-stroke up ha, HA-Tunnel comes up, but the HA-Messages on port 4510 (HA-Port) is not Pushed and the icmp is also not going out of the interface.
t0s : Trap installed and SEGMENT_DROP is Pushed
t1: (t0+5Sec): execute "ipsec-stroke up ha", the HA-Tunnel comes up.
t2: (t1+25Sec): HA_RESYNC is Pushed from Strongswan, but not out of the local interface. Even ICMP message are not going out of interface. But netstats indicate the ICMP message being created and pushed out.
t3: (t2+5/15Mins): HA-Messages Starts Flowing.

We need help to see what we can do to address these issues.

Regards,
Vinay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170927/f03dfcba/attachment.html>

More information about the Dev mailing list