[strongSwan] IKE_SA gets deleted with no recovery after NTP update

Martin Willi martin at strongswan.org
Fri Mar 11 08:56:39 CET 2011

Hi Eduardo,

> We rely on the system time to be correct.

Depends on how strongSwan is built. If your system provides a monotonic
time source and compatible pthread_condvars, we use it. This is checked
during ./configure, checking for
  pthread_condattr_setclock(&attr, CLOCK_MONOTONIC)
or alternatively for 

If such condvars are available, we use always increasing never jumping
time source, and system time changes shouldn't affect rekeying or other
timed behavior.

> after the rekey, Strong Swan deletes the IKE_SA but does not re-try to
> create the IKE_SA

If you don't have such a condvar, large time shifts may trigger soft and
hard timeouts simultaneously, resulting in a hard timeout.


More information about the Users mailing list