[strongSwan] charon fail to add policies after recovering from crash

Sat Aug 13 01:58:02 CEST 2011

Greetings,

I am a newbie in IPSEC. My situation is that charon would crash from time to time and the tunnels would stay down until manual intervention (either "ipsec restart" or "ipsec reload"). What I want to do is to make a change in the code to similate the "ipsec restart/reload" effect. Appreciate if someone can point me to the source file and what function to call, passing what parameters etc.

The settings on my VPN gateway:
- StrongSwan 4.5.1
- Ubuntu 11.04 server 64-bit
- two IKEv1 tunnels
- eight IKEv2 tunnels

This crash has happened 4 times in the last 2 months. This last time I had loglevel cranked up waiting for it. The captured log is identical to the one in this thread:

http://www.mail-archive.com/users@lists.strongswan.org/msg02447.html

Thus the recovery problem can be reproduced easily with "kill -11".

Overview of the crash-recovery sequence:
1. Thread 5 received signal 11 and charon killed itself.
2. starter started charon again.
3. xx[CFG] received stroke: route 'conn_x' which failed with "unable to add policy". Then xx[CFG] installing trap failed
4. Step 3 above repeated for each connection with same fate.

Following the above sequence, all my IKEv2 connections would stay down. Either "ipsec restart" or "ipsec reload" would revive the v2 connections.

Right after the "unable to add policy" there's log about "deleting policy". I am hopeful that if I add code to call add policy again after the delete then the policies may be added successfully.

But then at the beginning of "ipsec reload" I saw these log entries:
xx[CFG] received stroke: delete connection 'site_XY'.
May be is the delete connection that clean things up?

The actual log pertaining to the crash follows.
-----------------------------------------------------------------
Aug 11 04:24:35 central charon: 06[KNL] creating rekey job for ESP CHILD_SA with SPI cbe46239 and reqid {458}
Aug 11 04:24:49 central charon: 05[DMN] thread 5 received 11
Aug 11 04:24:49 central charon: 05[DMN] killing ourself, received critical signal
Aug 11 04:24:54 central charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.1)
. . .
- start up stuff such as listen on interfaces, load certs, secrets, plugins etc 
. . .
Aug 11 04:24:54 central charon: 00[JOB] spawning 16 worker threads
Aug 11 04:24:54 central charon: 06[CFG] received stroke: add connection 'site_07'
Aug 11 04:24:54 central charon: 06[KNL] getting interface name for y7.y7.y7.y7
Aug 11 04:24:54 central charon: 06[KNL] y7.y7.y7.y7 is not a local address
Aug 11 04:24:54 central charon: 06[KNL] getting interface name for x5.x5.x5.x5
Aug 11 04:24:54 central charon: 06[KNL] x5.x5.x5.x5 is on interface eth1
Aug 11 04:24:54 central charon: 06[CFG] added configuration 'site_07'
Aug 11 04:24:54 central charon: 12[CFG] received stroke: route 'site_07'
Aug 11 04:24:54 central charon: 12[KNL] adding policy 192.168.5.0/24 === 192.168.7.0/24 out
Aug 11 04:24:54 central charon: 12[KNL] unable to add policy 192.168.5.0/24 === 192.168.7.0/24 out
Aug 11 04:24:54 central charon: 12[KNL] adding policy 192.168.7.0/24 === 192.168.5.0/24 in
Aug 11 04:24:54 central charon: 12[KNL] unable to add policy 192.168.7.0/24 === 192.168.5.0/24 in
Aug 11 04:24:54 central charon: 12[KNL] adding policy 192.168.7.0/24 === 192.168.5.0/24 fwd
Aug 11 04:24:54 central charon: 12[KNL] unable to add policy 192.168.7.0/24 === 192.168.5.0/24 fwd
Aug 11 04:24:54 central charon: 12[KNL] deleting policy 192.168.5.0/24 === 192.168.7.0/24 out
Aug 11 04:24:54 central charon: 12[KNL] deleting policy 192.168.7.0/24 === 192.168.5.0/24 in
Aug 11 04:24:54 central charon: 12[KNL] deleting policy 192.168.7.0/24 === 192.168.5.0/24 fwd
Aug 11 04:24:54 central charon: 12[CFG] installing trap failed

Aug 11 04:24:54 central charon: 13[CFG] received stroke: add connection 'site_08'
. . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110812/65a2a11a/attachment.html>