[strongSwan] strongswan seems to go mad after some time

Christoph Anton Mitterer calestyo at scientia.net
Tue Oct 5 19:44:24 CEST 2010


Few seconds after sending this off, I found unfortunately out that the
same might still happen:


1) I have my two hosts now, one with auto=start the other with auto=add,
both with reauth=no

Now when I do ipsec stop on the host with auto=start, the other host
doesn't close the connection.
Guess that's because of the dpdaction = restart, isn't it?

Now when I next ipsec start it again, I get two connections beeing
established, the old one be the second host. A new one by the other.

What's the best way to circumvent this?
Simply using dpdaction = restart on the host with auto=start and
dpdaction=clear on that one with auto=add?
Will it then still try to always set up the connection if possible?

What would the hold state do?


2) What I've described in (1) isn't the explosion of connections that
I've described with reauth = yes originally.
But just before I had the case that I did what described in (1),... and
that many-connections-per-second explosion....

So there still seems to be some bigger problem here :(



Cheers,
Chris.

btw: Just for clarity (with ipsec statusall):
kronecker.scientia.net[1]: ESTABLISHED 1 second ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networkin
kronecker.scientia.net[1]: IKE SPIs: 8fd61f78e14dbff5_i* 9c7dd1ee8149b312_r, rekeying in 2 hours
kronecker.scientia.net[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
If only get this,... then just the IKE authentication took place...

kronecker.scientia.net{1}:  INSTALLED, TUNNEL, ESP SPIs: cdf47f7e_i c54e0c78_o
kronecker.scientia.net{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
kronecker.scientia.net{1}:   84.16.235.61/32 === 77.37.6.134/32
Only if it also says INSTALL, something.... then I really have a connection, right?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101005/08180c22/attachment.bin>


More information about the Users mailing list