[strongSwan] IKE_SA gets deleted with no recovery after NTP update

Yong Choo yhc at alcatel-lucent.com
Tue Mar 15 22:14:55 CET 2011

Hi Martin,
We are using StrongSwan 4.3.3

I prepared the 'cscope' for the 4.3.3 source code and looked for the 

CLOCK_MONOTONIC -->  not found
pthread_cond_timedwait_monotonic  -->  not found

Q1: Are we supposed to find the usage of these in the StrongSwan code?
Q2: We took a look at the './configure' output log of StrongSwan but we do not see above patterns. What are we supposed to 'observe'?
Q3: Any directives that we can set for ./configure?

Thanks for your helping in this matter.
-Yong Choo

ps. I'm attaching the ./configure log for your reference. Perhaps you could tell us what we may have to set as a directive if it can be done.

On 3/11/2011 6:11 AM, Pisano, Stephen G (Stephen) wrote:
> Hi Martin:
> Thanks.
> Eduardo will follow-up on the monotonic time source lead you provided, but I have a question regarding your second comment.
> We thought it was possible (and we think we have it configured this way) to have strongSwan try to establish its connections forever.  I assumed this should be the case even if there is a hard rekey timeout.  Further, I assumed regardless of what happens (short of something catastrophic/fatal, like the unavailability of a critical system resource), strongSwan should always keep trying, forever.  Is this an incorrect assumption?
> Regards,
> Stephen
>> -----Original Message-----
>> From: users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org
>> [mailto:users-bounces+pisano=alcatel-lucent.com at lists.strongswan.org] On
>> Behalf Of Martin Willi
>> Sent: Friday, March 11, 2011 2:57 AM
>> To: Torres, Eduardo M (Eduardo)
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] IKE_SA gets deleted with no recovery after NTP
>> update
>> Hi Eduardo,
>>> We rely on the system time to be correct.
>> Depends on how strongSwan is built. If your system provides a monotonic
>> time source and compatible pthread_condvars, we use it. This is checked
>> during ./configure, checking for
>>   pthread_condattr_setclock(&attr, CLOCK_MONOTONIC)
>> or alternatively for
>>   pthread_cond_timedwait_monotonic
>> If such condvars are available, we use always increasing never jumping
>> time source, and system time changes shouldn't affect rekeying or other
>> timed behavior.
>>> after the rekey, Strong Swan deletes the IKE_SA but does not re-try to
>>> create the IKE_SA
>> If you don't have such a condvar, large time shifts may trigger soft and
>> hard timeouts simultaneously, resulting in a hard timeout.
>> Regards
>> Martin
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssbuild.log
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110315/6dea4134/attachment.ksh>

More information about the Users mailing list