[strongSwan] Packet loss on rekeying

Richard Andrews richard.andrews at symstream.com
Mon Sep 17 23:51:10 CEST 2012


If you have the default of reauth=yes then the IKE SA must be completely
shut down (and all child SAs) while IKE is restarted. This leads to a
short period where no child SAs are able to carry traffic.

I suggest you try the same test with ikeliftime=10min (lifetime=30s) and
verify this is the issue.

If you use IKEv2 and reauth=no then you may avoid this problem.


On Mon, 2012-09-17 at 17:23 -0300, Diego Woitasen wrote:
> Hi,
>  I'm testing my Strongswan installation and I discover that I have
> packet loss on rekeying. I set this values to reproduce the problem:
> 
> ikelifetime=60s
> lifetime=30s
> rekeymargin=20s
> rekeyfuzz=0%
> 
> And every time a rekey appears in the log file, some packets are lost
> (testing with ping -A -c 100 in a infinite loop).
> 
> I'm using 4.5.2 from Squeeze Backports.
> 
> I have three questions:
> 
> 1- Is this normal? Shall I expect some packet loss during the rekey?
> 
> 2- If not, what can I do to debug this?
> 
> 3- Are there some code added to the latest version that can help on this issue?
> 
> Regards,
>   Diego
> 





More information about the Users mailing list