[strongSwan] IKE_SA gets deleted with no recovery after NTP update

Martin Willi martin at strongswan.org
Wed Mar 16 09:50:34 CET 2011

> I don't know what you mean when you say, "And this does not make a lot
> of sense, as it shouldn't happen in a properly configured setup.".

If you have a proper rekey configuration and use a monotonic time
source, the soft lifetime will rekey the SA and the hard lifetime is
never reached.

> The behavior we want is for strongSwan to keep trying to establish all
> of its configured tunnels, even if we don't have monotonic clock
> support, and an NTP sync causes the IKE_SA to be deleted.  

I'd update to a more recent version with monotonic time source support.

> If this behavior is possible, can you provide guidance on what the
> configuration should be to yield this behavior?  Note, we only have
> control over our end of the tunnel.  The remote end is not necessarily
> a strongSwan implementation.

Have enough time between the soft and hard lifetime, see [1] for
details. Setting dpdaction=restart will recreate the tunnel if the
remote end closes it.

> If this behavior is not possible, then we need some way to detect that
> this particular scenario has occurred, for example, through up/down
> script or whatever means, so that we can take some recovery action. 
> Can you let us know how we could possible detect that this scenario
> has occurred (i.e., that the IKE SA has been deleted and strongSwan
> will not try to restart it)?

I don't think the NTP scenario is really a problem with monotonic time
sources. But there might be (?) other corner cases, there is no 100%
guarantee the tunnel keeps up. You may either add a trap policy to
reestablish the tunnel automatically, add an additional monitoring
functionality to reestablish the tunnel when required, or find and fix
potential corner cases where a tunnel might not get reestablished.



More information about the Users mailing list