[strongSwan] IKE_SA gets deleted with no recovery after NTP update
yhc at alcatel-lucent.com
Tue Mar 15 22:27:43 CET 2011
The log file is too big ;(
I'm zipping the file.
On 3/15/2011 5:14 PM, Yong Choo wrote:
> Hi Martin,
> We are using StrongSwan 4.3.3
> I prepared the 'cscope' for the 4.3.3 source code and looked for the
> CLOCK_MONOTONIC --> not found
> pthread_cond_timedwait_monotonic --> not found
> Q1: Are we supposed to find the usage of these in the StrongSwan code?
> Q2: We took a look at the './configure' output log of StrongSwan but
> we do not see above patterns. What are we supposed to 'observe'?
> Q3: Any directives that we can set for ./configure?
> Thanks for your helping in this matter.
> -Yong Choo
> ps. I'm attaching the ./configure log for your reference. Perhaps you
> could tell us what we may have to set as a directive if it can be done.
> On 3/11/2011 6:11 AM, Pisano, Stephen G (Stephen) wrote:
>> Hi Martin:
>> Eduardo will follow-up on the monotonic time source lead you
>> provided, but I have a question regarding your second comment.
>> We thought it was possible (and we think we have it configured this
>> way) to have strongSwan try to establish its connections forever. I
>> assumed this should be the case even if there is a hard rekey
>> timeout. Further, I assumed regardless of what happens (short of
>> something catastrophic/fatal, like the unavailability of a critical
>> system resource), strongSwan should always keep trying, forever. Is
>> this an incorrect assumption?
>>> -----Original Message-----
>>> From: users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org
>>> [mailto:users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org] On
>>> Behalf Of Martin Willi
>>> Sent: Friday, March 11, 2011 2:57 AM
>>> To: Torres, Eduardo M (Eduardo)
>>> Cc: users at lists.strongswan.org
>>> Subject: Re: [strongSwan] IKE_SA gets deleted with no recovery after
>>> Hi Eduardo,
>>>> We rely on the system time to be correct.
>>> Depends on how strongSwan is built. If your system provides a monotonic
>>> time source and compatible pthread_condvars, we use it. This is checked
>>> during ./configure, checking for
>>> pthread_condattr_setclock(&attr, CLOCK_MONOTONIC)
>>> or alternatively for
>>> If such condvars are available, we use always increasing never jumping
>>> time source, and system time changes shouldn't affect rekeying or other
>>> timed behavior.
>>>> after the rekey, Strong Swan deletes the IKE_SA but does not re-try to
>>>> create the IKE_SA
>>> If you don't have such a condvar, large time shifts may trigger soft
>>> hard timeouts simultaneously, resulting in a hard timeout.
>>> Users mailing list
>>> Users at lists.strongswan.org
>> Users mailing list
>> Users at lists.strongswan.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 27698 bytes
Desc: not available
More information about the Users