[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

anand rao anandrao_me at yahoo.co.in
Tue Apr 10 15:02:29 CEST 2012

Hi Tobias,

   Thanks a lot. I have tested with your suggestion and it worked great. Now SAs are deleted properly.
This is a great solution which should be documented and should be part of Strongswan wiki. This will be usefull for those who
use auto=route option with small ike life time.


----- Original Message -----
From: Tobias Brunner <tobias at strongswan.org>
To: anand rao <anandrao_me at yahoo.co.in>
Cc: gowrishankar <gowrishankar.m at linux.vnet.ibm.com>; "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Tuesday, April 10, 2012 3:57 PM
Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

Hi Anand,

> conn toevm2-psk
>     ...
>     auto=route

The problem is the combination of auto=route and reauth=yes (which is
the default).  With reauth=yes the IKE_SA is not rekeyed but
reauthenticated.  This means that the IKE_SA is first deleted and then
reestablished.  During this (albeit short) downtime there is no IPsec SA
installed in the Linux kernel.  That is, the policy that is installed
with auto=route has now no IPsec SA associated with it, so any matching
traffic will trigger another acquire from the kernel.  This makes charon
queue a CREATE_CHILD_SA exchange which it handles after the IKE_SA is
reestablished - together with all previously established CHILD_SAs.  So
you eventually end up with an additional CHILD_SA for each acquire that
fires during a reauthentication phase.

To fix this simply set reauth=no which causes charon to do a regular
rekey of the IKE_SA without deleting it and the installed IPsec SAs first.


More information about the Users mailing list