[strongSwan] IKE_SA gets deleted with no recovery after NTP update

Martin Willi martin at strongswan.org
Fri Mar 11 12:28:30 CET 2011

> Further, I assumed regardless of what happens (short of
> something catastrophic/fatal, like the unavailability of a critical
> system resource), strongSwan should always keep trying, forever.  Is
> this an incorrect assumption?

Depending on your configuration, it should in most cases keep the tunnel
up. What you have seen here, though, is a special case: the IKE_SA
rekeying could not refresh the tunnel in time before the hard lifetime
of the SA is reached. And as we really want to enforce the lifetime
limit, the tunnel gets closed. DPD does not trigger, as the peer
actually responds.

A responder could enforce tunnel re-establishment using a close-action
(configured as dpd_action in ipsec.conf). The initiator of the delete
currently does not enforce the close action for tunnels it deletes. And
this does not make a lot of sense, as it shouldn't happen in a properly
configured setup.


More information about the Users mailing list