[strongSwan] IKE_SA gets deleted with no recovery after NTP update

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 10 19:02:08 CET 2011

Hello Eduardo,

what do you expect? We rely on the system time to be correct.
Any huge resets in the actual time will of course affect the
correct functioning of the rekeying process.

Best regards


On 03/10/2011 05:13 PM, Eduardo Torres wrote:
> Hi,
> I'm seeing the following issue using Strong Swan the scenario is a
> follows (test done yesterday March 9).
> - ipsec is started using charon daemon (IKEV2) (date at this moment is
> Jan 1 1970) rekey set to yes ikelifetime and ipseclifetime set to 28800
> - Strong Swan creates the connections (date still is Jan 1 1970)
> - ran ipsec statusall the connections were created a this point.
> - few seconds passed
> - date get synced to March 9, this triggers Strong Swan to start a rekey
> - after the rekey, Strong Swan deletes the IKE_SA but does not re-try to
> create the IKE_SA
> - When running ipsec statusall command shows SA as none (never recovers)
> For this scenario I was expecting that Strong Swan  try to recover for
> this scenario.
> I just want to know if this issue is a known issue, if yes could you pls
> provide where exactly the fix was made.
> Thanks in advance
> Eduardo Torres

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list