[strongSwan] charon hanging

刘立鑫 lixin_liu at netentsec.com
Mon Jul 9 11:45:49 CEST 2012


 

Hi:

    I have a question want to consult. I configured a lot of nodes with
ikev2,most of nodes established, some nodes is connecting or not connected.
I have a shell script to detect ipsec tunnel connection status. If the node
is not established, I will execute ipsec up tunnelname. My script is
executed once every two minutes. Half a day after I run ipsec statusall to
appear as:

bash-3.2# ipsec statusall

000 Status of IKEv1 pluto daemon (strongSwan 4.5.0):

000 interface lo/lo ::1:500

000 interface lo/lo 127.0.0.1:4500

000 interface lo/lo 127.0.0.1:500

000 interface eth0/eth0 120.197.249.35:4500

000 interface eth0/eth0 120.197.249.35:500

000 interface eth1/eth1 10.0.2.253:4500

000 interface eth1/eth1 10.0.2.253:500

000 interface tun0:1341804414/tun0:1341804414 10.0.2.129:4500

000 interface tun0:1341804414/tun0:1341804414 10.0.2.129:500

000 interface tun0:1341804415/tun0:1341804415 10.10.10.1:4500

000 interface tun0:1341804415/tun0:1341804415 10.10.10.1:500

000 %myid = '%any'

000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp
dnskey pem openssl hmac attr kernel-pfkey kernel-netlink resolve 

000 debug options: none

000 

000 "asg-ar2831":
10.0.0.0/16===120.197.249.35[120.197.249.35]---120.197.249.33...221.179.41.2
2[221.179.41.22]===10.8.0.0/16; erouted; eroute owner: #12

000 "asg-ar2831":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 30s;
rekey_fuzz: 50%; keyingtries: 3

000 "asg-ar2831":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 30s;

000 "asg-ar2831":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,16; interface:
eth0; 

000 "asg-ar2831":   newest ISAKMP SA: #1; newest IPsec SA: #12; 

000 "asg-ar2831":   IKE proposal: 3DES_CBC/HMAC_MD5/MODP_1024

000 "asg-ar2831":   ESP proposal: 3DES_CBC/HMAC_MD5/<N/A>

000 

000 #12: "asg-ar2831" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 86276s; newest IPSEC; eroute owner

000 #12: "asg-ar2831" esp.bcc00f12 at 221.179.41.22 (0 bytes) esp.caf7ca84 at 120.
197.249.35 (0 bytes); tunnel

000 #1: "asg-ar2831" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 85072s; newest ISAKMP; DPD active

000

 

ipsec statusall will die. All of tunnels will disconnect.

I want to know what causes it, thank you!

 

 


 <http://www.netentsec.com/> cid:image001.png at 01CBFF87.CE876A40

www.netentsec.com

400-678-3600

	姓名 刘立鑫

部门 工程部-ASG组

 

邮件: <mailto:xxxx at netentsec.com> lixin_liu at netentsec.com

总机:+86 10 6267 0909-6934

传真:+86 10 6267 0958

北京市海淀区中关村东路66号长城大厦3层 100190

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120709/684a8f63/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1089 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120709/684a8f63/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 11269 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120709/684a8f63/attachment.png>


More information about the Users mailing list