[strongSwan] Processor not able to process jobs

vivek bairathi bairathi.vivek at gmail.com
Fri May 14 16:12:02 CEST 2010 

Hi,

My configuration creates 3 IKE SAs and 6 IPsec SAs. Configuration file
attached.

Now when I change the esp encryption algorithm for IpSecMPlane then I fire
the following commands in the given below order:-
1. ipsec down IpSecMPlane
2. Write the new esp encryption algorithm for IpSecMPlane in ipsec.conf.
3 Ipsec update
4. ipsec up IpSecMPlane

When I executed the above steps more than three times, after the third time
the stack is not able to bring down the IpSecMPlane SA.
After debugging the problem I found following things:-
1. The control comes to the listen_ function of bus.c where it queue the job
into the processor and waits on wait command.
2. I think the processor is not able to process this queued job.

What could be the reason for this?

Here's the ipsec.conf file I was using:-
config setup
 cachecrls=no
 charonstart=yes
 plutostart=no
 strictcrlpolicy=no
 uniqueids=no

ca AllPlanes
 cacert=/tmp/RootCert3801_7349bbdb.pem
 auto=add

conn IpSecMPlane
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=3des-sha1-modp1024,aes128-sha1-modp1024!
 authby=rsasig
 left=20.20.20.21
 leftsubnet=15.15.15.2/32
 right=10.10.10.2
 rightsubnet=14.14.14.2/32
 leftprotoport=sctp/9901
 rightprotoport=sctp/9901
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add

conn IpSecSSEPlane
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=aes128-sha1-modp1024,3des-sha1-modp1024!
 authby=rsasig
 left=22.22.22.23
 leftsubnet=15.15.15.5/32
 right=12.12.12.2
 rightsubnet=0.0.0.0/32
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add

conn IpSecCPlane
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=null-sha1-modp1024!
 authby=rsasig
 left=21.21.21.22
 leftsubnet=16.16.16.2/32
 right=11.11.11.2
 rightsubnet=16.16.16.3/32,16.16.16.4/32
 leftprotoport=sctp
 rightprotoport=sctp
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add

conn IpSecUPSPlane
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=null-sha1-modp1024!
 authby=rsasig
 left=21.21.21.22
 leftsubnet=16.16.16.2/32
 right=11.11.11.2
 rightsubnet=17.17.17.3/32
 leftprotoport=udp/49156
 rightprotoport=udp/49156
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add

conn IpSecUCSPlane
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=aes128-sha1-modp1024,3des-sha1-modp1024!
 authby=rsasig
 left=21.21.21.22
 leftsubnet=16.16.16.2/32
 right=11.11.11.2
 rightsubnet=17.17.17.3/32
 leftprotoport=udp/49154
 rightprotoport=udp/49154
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add

conn IpSecToPPlane
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=null-sha1-modp1024!
 authby=rsasig
 left=21.21.21.22
 leftsubnet=16.16.16.2/32
 right=11.11.11.2
 rightsubnet=17.17.17.5/32
 leftprotoport=udp
 rightprotoport=udp
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add


Thanks in advance.

Regards,
Vivek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100514/592fbff9/attachment.html>

More information about the Users mailing list