[strongSwan] IKE_SA gets deleted with no recovery after NTP update
Martin Willi
martin at strongswan.org
Fri Mar 11 08:56:39 CET 2011
Hi Eduardo,
> We rely on the system time to be correct.
Depends on how strongSwan is built. If your system provides a monotonic
time source and compatible pthread_condvars, we use it. This is checked
during ./configure, checking for
pthread_condattr_setclock(&attr, CLOCK_MONOTONIC)
or alternatively for
pthread_cond_timedwait_monotonic
If such condvars are available, we use always increasing never jumping
time source, and system time changes shouldn't affect rekeying or other
timed behavior.
> after the rekey, Strong Swan deletes the IKE_SA but does not re-try to
> create the IKE_SA
If you don't have such a condvar, large time shifts may trigger soft and
hard timeouts simultaneously, resulting in a hard timeout.
Regards
Martin
More information about the Users
mailing list