[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

Tobias Brunner tobias at strongswan.org
Tue Apr 10 12:27:24 CEST 2012

Hi Anand,

> conn toevm2-psk
> 	...
> 	auto=route

The problem is the combination of auto=route and reauth=yes (which is
the default).  With reauth=yes the IKE_SA is not rekeyed but
reauthenticated.  This means that the IKE_SA is first deleted and then
reestablished.  During this (albeit short) downtime there is no IPsec SA
installed in the Linux kernel.  That is, the policy that is installed
with auto=route has now no IPsec SA associated with it, so any matching
traffic will trigger another acquire from the kernel.  This makes charon
queue a CREATE_CHILD_SA exchange which it handles after the IKE_SA is
reestablished - together with all previously established CHILD_SAs.  So
you eventually end up with an additional CHILD_SA for each acquire that
fires during a reauthentication phase.

To fix this simply set reauth=no which causes charon to do a regular
rekey of the IKE_SA without deleting it and the installed IPsec SAs first.


More information about the Users mailing list