[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

anand rao anandrao_me at yahoo.co.in
Tue Mar 20 09:25:34 CET 2012

Hi Tobias,

  Thanks for the reply and suggestion.

  I have changed the tunnel config as below

conn %default

But still the problem persists. I can still see lot of redundant SAs when issued "ipsec statusall".

On my environment there is no support for kernel-netlink interface for IPsec, 

I have to use kernel-pfkey interface only as I have my hooks registered in PFKEY to XFRM for IPsec.

I have tried latest versions of strongswan (4.5.1 and 4.5.3) both resulted in kernel panic after running for a while.
I think there is not much support for kernel-pfkey plugin in latest strtongswan versions, and since latest versions
require kernel-netlink plugin to function properly migrating to newer versions might be not helpful in my case.

Kindly suggest me what can be the solution for this issue.


----- Original Message -----
From: Tobias Brunner <tobias at strongswan.org>
To: anand rao <anandrao_me at yahoo.co.in>
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Monday, March 19, 2012 9:17 PM
Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

Hi Anand,

> conn %default
>     ikelifetime=10m
>     keylife=5m
>     rekeymargin=3m

Not sure what exactly the problem is but I suspect it might be related
to the times you configured above (at least partially).

Please have a look at the wiki page documenting how rekey times are
calculated [1].  As you can see, the values 5m for keylife (lifetime)
and 3m for rekeymargin (margintime) are problematic - it could even
disable rekeying (rekeytime = 5m - random(3m..6m)).

Please increase lifetime and see if that fixes the problem (also,
updating to a more recent release wouldn't hurt).


[1] http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

More information about the Users mailing list