[strongSwan] IKE_SA gets deleted with no recovery after NTP update

Pisano, Stephen G (Stephen) Stephen.Pisano at alcatel-lucent.com
Wed Mar 16 13:41:10 CET 2011

Hi Martin:


It seems like we don't have the version with the monotonic time (4.3.3 vs. 4.3.5).  Do you recall if it is a small change (i.e., easy for us to patch into 4.3.3)?

>If you have a proper rekey configuration and use a monotonic time
>source, the soft lifetime will rekey the SA and the hard lifetime is
>never reached.

The particular scenario we saw was Linux booting with a ~1970, so the NTP resync is ~40 years.  I am assuming this can not be dealt with by ensuring enough margin between soft and hard lifetimes (i.e., both essentially expire at the same time).  (This is of course assuming no monotonic clock support).

>I don't think the NTP scenario is really a problem with monotonic time
>sources. But there might be (?) other corner cases, there is no 100%
>guarantee the tunnel keeps up. You may either add a trap policy to
>reestablish the tunnel automatically, add an additional monitoring
>functionality to reestablish the tunnel when required, or find and fix
>potential corner cases where a tunnel might not get reestablished.

I understand your point.

When you say "add a trap policy", I don't know what you are referring to.  We currently use up/down scripts to get notifications from the daemon.

Can you provide a reference to any documentation on the "trap" capability?


More information about the Users mailing list