[strongSwan] deleting IKE_SA: what's the reason?
Tobias Brunner
tobias at strongswan.org
Wed Sep 12 10:39:59 CEST 2012
Hi Diego,
> deleting IKE_SA CONN_NAME[10] between
> x.x.x.x[vpn1.example.com]...x.x.x.x[vpn2.example.com]
>
> I wrote an script that controls the status of the tunnel using "ipsec
> status". For some reason, some conns are dropped randomly. I have DPD
> enabled but I don't see the message "giving up..." and I don't see the
> message "received stroke..." about the connection lost and I don't see
> the rekeying messages.
>
> Is there an aditional way to discover why Charon is deleting IKE SAs?
You are probably using reauth=yes (which is the default). So instead of
rekeying the IKE_SA the daemon will first delete the current instance
(hence the "deleting IKE_SA..." message) and then setup a new IKE_SA
from scratch. Try reauth=no to get regular IKE_SA rekeyings.
Regards,
Tobias
More information about the Users
mailing list