[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

gowrishankar gowrishankar.m at linux.vnet.ibm.com
Fri Mar 23 14:46:16 CET 2012

Hi Anand,

wrt RFC 4306 Page 22:

    If the two ends have the same lifetime policies, it is possible that
    both will initiate a rekeying at the same time (which will result in
    redundant SAs).  To reduce the probability of this happening, the
    timing of rekeying requests SHOULD be jittered (delayed by a random
    amount of time after the need for rekeying is noticed).

Not a concrete suggestion, but to make sure that, strongswan 4.3(.6) is 
not having
any bug (or improper handling) to gitter rekeymargin. Can it be searched 
in git tree (for any such commit)?

Second, after reading few following paragraphs (and importantly last 
para of Sec2.8),
the timing window for rekeymargin is also associated to CREATE_CHILD_SA 
handled by rekey responder. You may need to look closely in charon.log 
at this situation.

I also observed that, you are setting keyingtries=1. Can it be the 
default 3 and tried
once again, if there is any packet drop observed ?

Gowri Shankar

On Tuesday 20 March 2012 06:24 PM, anand rao wrote:
> Hi Tobias,
>    I have already enabled both kernel-pfkey and kernel-netlink plugins. Both the plugins are loaded.
>   This was suggested by Andreas for my earlier query about pfkey plugin usage for IKEv1.
> Since 4.5.3 is causing kernel-panic in my environment for unknown reasons, i want to resolve
> the redundant child SA issue on 4.3.6. Please suggest me in resolving this issue.
> Thanks,
> Anand
> ----- Original Message -----
> From: Tobias Brunner<tobias at strongswan.org>
> To: anand rao<anandrao_me at yahoo.co.in>
> Cc: "users at lists.strongswan.org"<users at lists.strongswan.org>
> Sent: Tuesday, March 20, 2012 2:25 PM
> Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs
> Hi Anand,
>> On my environment there is no support for kernel-netlink interface
>> for IPsec,
>> I have to use kernel-pfkey interface only as I have my hooks
>> registered in PFKEY to XFRM for IPsec.
>> I have tried latest versions of strongswan (4.5.1 and 4.5.3) both
>> resulted in kernel panic after running for a while. I think there is
>> not much support for kernel-pfkey plugin in latest strtongswan
>> versions, and since latest versions require kernel-netlink plugin to
>> function properly migrating to newer versions might be not helpful in
>> my case.
> You actually need both plugins on Linux, even if using kernel-pfkey to
> install IPsec SAs and policies.  The reason for this is that the
> kernel-netlink plugin also implements the kernel_net_t interface which
> is used for address and route lookups etc.  You can enable both plugins,
> the kernel-pfkey plugin is then loaded first by default (otherwise make
> sure it is loaded first), which means that its kernel_ipsec_t
> implementation is used while the kernel-netlink plugin can still provide
> the required kernel_net_t implementation.
> Regards,
> Tobias
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list