[strongSwan] Sparatic tunnel issues
Tobias Brunner
tobias at strongswan.org
Thu Apr 26 10:35:31 CEST 2012
Hi Steve,
> I'm having trouble figuring out what I have configured wrong in my
> tunnel config. I am running a transport tunnel between two endpoints,
> X and Y. I've noticed that sometimes the tunnels get confused, and I
> wind up with two SA's for the same connection.
Yes, that can happen if you have set auto=route on both sides. If you
loose connectivity and DPD kicks in the current SA is deleted
(dpdaction=clear) and if you then have traffic from both sides (roughly
at the same time) they will both initiate a new SA (due to auto=route),
so you could end up with two. Depending on the timing, the uniqueids
feature will ensure that one of them gets closed but there are cases
where that check is not sufficient (it is not fully atomic, so if the
SAs are established concurrently it does not detect them as duplicates).
But as you've seen, the two SAs are not really a problem as each peer
will just use one of them to send traffic and the other to receive it.
If you are bothered by this you could use auto=start, dpdaction=restart
and keyingtries=%forever on one side and auto=add on the other. This
would result in the SA being up pretty much constantly but to avoid
unprotected traffic leaving the two hosts during an occasional down time
you could add firewall rules that would prevent traffic unless an SA is
established (similar to what was just recommended by Hans-Kristian in a
different thread).
Regards,
Tobias
More information about the Users
mailing list