[strongSwan] Site-To-Site becomes unreasonable slow within 12h of running

Kim Zeitler kim.zeitler at konzept-is.de
Tue Jun 21 14:52:26 CEST 2011 

Hello,

as our company has expanded lately we introduced strogSwan to our 
infrastructure to allow both Windows7 Roadwarriors and Site-to-Site 
connections.

The RW Setup works like a charm and gives us no trouble at all. But out 
Site-to-Site setup shows some strange behaviour.

This 'strange' behaviour is as follows:
I get 3 Tunnels, all initiated by 'moon', within 2 minutes from first to 
last, and the connection is fine so far. Letting this setup run for some 
time (~12h) the reqid is within within the thousands and the connection 
becomes very slow.
Stopping and restarting any side removes this behaviour.

I am pretty sure the problem is due to some misconfiguration on my side. 
A breakdown of our configuration is attached.

Thanks in advance for any help you can offer.

Cheers,
Kim



The 2 sites 'moon' and 'sun' use following configuration:

'sun':
Our main gateway, to whom the RW connect.
Directly connected to the internet.
Using certs for authentication.

Version: Linux strongSwan U4.2.8/K2.6.27.7-9-pae

ipsec.conf:

config setup
     crlcheckinterval=600
     strictcrlpolicy=no
     cachecrls=yes
     charonstart=yes
     plutostart=no

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2
     left=<IP>
     leftfirewall=yes

conn moon
     keyingtries=3
     leftsubnet=172.16.0.0/16
     leftcert=sun.konzept-is.deCert.pem
     leftid=@sun.konzept-is.de
     lefthostaccess=yes
     right=<IP>
     rightid="C=DE, O=Konzept Informationssysteme GmbH, 
CN=moon.konzept-is.de"
     rightsubnet=172.17.0.0/16
     dpdaction=restart
     dpddelay=90s
     auto=start

'moon':
Our remote site gateway, NO roadwarriors
Connected to the internet via Router, outgoing are NATed, in-coming port 
forwarding on UDP 500 and 4500, as well as ESP in general.
Using certs for authentication.

Version: Linux strongSwan U4.5.0/K2.6.37.6-0.5

ipsec.conf:

config setup
     crlcheckinterval=600
     strictcrlpolicy=no
     cachecrls=yes
     charonstart=yes
     plutostart=no

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=3
     keyexchange=ikev2
     mobike=no

conn sun
     left=%defaultroute
     leftcert=moonCert.pem
     leftsubnet=172.17.0.0/16
     leftfirewall=yes
     lefthostaccess=yes
     right=<IP>
     rightid=@sun.konzept-is.de
     rightsubnet=172.16.0.0/16
     dpdaction=restart
     dpddelay=90s
     auto=start

More information about the Users mailing list