[strongSwan] IKE_SA gets deleted with no recovery after NTP update
Yong Choo
yhc at alcatel-lucent.com
Tue Mar 15 22:14:55 CET 2011
Hi Martin,
We are using StrongSwan 4.3.3
I prepared the 'cscope' for the 4.3.3 source code and looked for the
following:
CLOCK_MONOTONIC --> not found
pthread_cond_timedwait_monotonic --> not found
Q1: Are we supposed to find the usage of these in the StrongSwan code?
Q2: We took a look at the './configure' output log of StrongSwan but we do not see above patterns. What are we supposed to 'observe'?
Q3: Any directives that we can set for ./configure?
Thanks for your helping in this matter.
-Yong Choo
ps. I'm attaching the ./configure log for your reference. Perhaps you could tell us what we may have to set as a directive if it can be done.
On 3/11/2011 6:11 AM, Pisano, Stephen G (Stephen) wrote:
> Hi Martin:
>
> Thanks.
>
> Eduardo will follow-up on the monotonic time source lead you provided, but I have a question regarding your second comment.
>
> We thought it was possible (and we think we have it configured this way) to have strongSwan try to establish its connections forever. I assumed this should be the case even if there is a hard rekey timeout. Further, I assumed regardless of what happens (short of something catastrophic/fatal, like the unavailability of a critical system resource), strongSwan should always keep trying, forever. Is this an incorrect assumption?
>
> Regards,
> Stephen
>
>
>
>> -----Original Message-----
>> From: users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org
>> [mailto:users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org] On
>> Behalf Of Martin Willi
>> Sent: Friday, March 11, 2011 2:57 AM
>> To: Torres, Eduardo M (Eduardo)
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] IKE_SA gets deleted with no recovery after NTP
>> update
>>
>> Hi Eduardo,
>>
>>> We rely on the system time to be correct.
>> Depends on how strongSwan is built. If your system provides a monotonic
>> time source and compatible pthread_condvars, we use it. This is checked
>> during ./configure, checking for
>> pthread_condattr_setclock(&attr, CLOCK_MONOTONIC)
>> or alternatively for
>> pthread_cond_timedwait_monotonic
>>
>> If such condvars are available, we use always increasing never jumping
>> time source, and system time changes shouldn't affect rekeying or other
>> timed behavior.
>>
>>> after the rekey, Strong Swan deletes the IKE_SA but does not re-try to
>>> create the IKE_SA
>> If you don't have such a condvar, large time shifts may trigger soft and
>> hard timeouts simultaneously, resulting in a hard timeout.
>>
>> Regards
>> Martin
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssbuild.log
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110315/6dea4134/attachment.ksh>
More information about the Users
mailing list