[strongSwan] IKE_SA gets deleted with no recovery after NTP update
Yong Choo
yhc at alcatel-lucent.com
Tue Mar 15 22:27:43 CET 2011
The log file is too big ;(
I'm zipping the file.
On 3/15/2011 5:14 PM, Yong Choo wrote:
> Hi Martin,
> We are using StrongSwan 4.3.3
>
> I prepared the 'cscope' for the 4.3.3 source code and looked for the
> following:
>
> CLOCK_MONOTONIC --> not found
> pthread_cond_timedwait_monotonic --> not found
>
> Q1: Are we supposed to find the usage of these in the StrongSwan code?
> Q2: We took a look at the './configure' output log of StrongSwan but
> we do not see above patterns. What are we supposed to 'observe'?
> Q3: Any directives that we can set for ./configure?
>
> Thanks for your helping in this matter.
> -Yong Choo
>
> ps. I'm attaching the ./configure log for your reference. Perhaps you
> could tell us what we may have to set as a directive if it can be done.
>
>
>
>
> On 3/11/2011 6:11 AM, Pisano, Stephen G (Stephen) wrote:
>> Hi Martin:
>>
>> Thanks.
>>
>> Eduardo will follow-up on the monotonic time source lead you
>> provided, but I have a question regarding your second comment.
>>
>> We thought it was possible (and we think we have it configured this
>> way) to have strongSwan try to establish its connections forever. I
>> assumed this should be the case even if there is a hard rekey
>> timeout. Further, I assumed regardless of what happens (short of
>> something catastrophic/fatal, like the unavailability of a critical
>> system resource), strongSwan should always keep trying, forever. Is
>> this an incorrect assumption?
>>
>> Regards,
>> Stephen
>>
>>
>>
>>> -----Original Message-----
>>> From: users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org
>>> [mailto:users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org] On
>>>
>>> Behalf Of Martin Willi
>>> Sent: Friday, March 11, 2011 2:57 AM
>>> To: Torres, Eduardo M (Eduardo)
>>> Cc: users at lists.strongswan.org
>>> Subject: Re: [strongSwan] IKE_SA gets deleted with no recovery after
>>> NTP
>>> update
>>>
>>> Hi Eduardo,
>>>
>>>> We rely on the system time to be correct.
>>> Depends on how strongSwan is built. If your system provides a monotonic
>>> time source and compatible pthread_condvars, we use it. This is checked
>>> during ./configure, checking for
>>> pthread_condattr_setclock(&attr, CLOCK_MONOTONIC)
>>> or alternatively for
>>> pthread_cond_timedwait_monotonic
>>>
>>> If such condvars are available, we use always increasing never jumping
>>> time source, and system time changes shouldn't affect rekeying or other
>>> timed behavior.
>>>
>>>> after the rekey, Strong Swan deletes the IKE_SA but does not re-try to
>>>> create the IKE_SA
>>> If you don't have such a condvar, large time shifts may trigger soft
>>> and
>>> hard timeouts simultaneously, resulting in a hard timeout.
>>>
>>> Regards
>>> Martin
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssbuild.log.zip
Type: application/x-zip-compressed
Size: 27698 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110315/b5ae657e/attachment.bin>
More information about the Users
mailing list