[strongSwan] IKE_SA gets deleted with no recovery after NTP update
martin at strongswan.org
Wed Mar 16 09:50:34 CET 2011
> I don't know what you mean when you say, "And this does not make a lot
> of sense, as it shouldn't happen in a properly configured setup.".
If you have a proper rekey configuration and use a monotonic time
source, the soft lifetime will rekey the SA and the hard lifetime is
> The behavior we want is for strongSwan to keep trying to establish all
> of its configured tunnels, even if we don't have monotonic clock
> support, and an NTP sync causes the IKE_SA to be deleted.
I'd update to a more recent version with monotonic time source support.
> If this behavior is possible, can you provide guidance on what the
> configuration should be to yield this behavior? Note, we only have
> control over our end of the tunnel. The remote end is not necessarily
> a strongSwan implementation.
Have enough time between the soft and hard lifetime, see  for
details. Setting dpdaction=restart will recreate the tunnel if the
remote end closes it.
> If this behavior is not possible, then we need some way to detect that
> this particular scenario has occurred, for example, through up/down
> script or whatever means, so that we can take some recovery action.
> Can you let us know how we could possible detect that this scenario
> has occurred (i.e., that the IKE SA has been deleted and strongSwan
> will not try to restart it)?
I don't think the NTP scenario is really a problem with monotonic time
sources. But there might be (?) other corner cases, there is no 100%
guarantee the tunnel keeps up. You may either add a trap policy to
reestablish the tunnel automatically, add an additional monitoring
functionality to reestablish the tunnel when required, or find and fix
potential corner cases where a tunnel might not get reestablished.
More information about the Users