[strongSwan] Packet loss on rekeying
Richard Andrews
richard.andrews at symstream.com
Mon Sep 17 23:51:10 CEST 2012
If you have the default of reauth=yes then the IKE SA must be completely
shut down (and all child SAs) while IKE is restarted. This leads to a
short period where no child SAs are able to carry traffic.
I suggest you try the same test with ikeliftime=10min (lifetime=30s) and
verify this is the issue.
If you use IKEv2 and reauth=no then you may avoid this problem.
On Mon, 2012-09-17 at 17:23 -0300, Diego Woitasen wrote:
> Hi,
> I'm testing my Strongswan installation and I discover that I have
> packet loss on rekeying. I set this values to reproduce the problem:
>
> ikelifetime=60s
> lifetime=30s
> rekeymargin=20s
> rekeyfuzz=0%
>
> And every time a rekey appears in the log file, some packets are lost
> (testing with ping -A -c 100 in a infinite loop).
>
> I'm using 4.5.2 from Squeeze Backports.
>
> I have three questions:
>
> 1- Is this normal? Shall I expect some packet loss during the rekey?
>
> 2- If not, what can I do to debug this?
>
> 3- Are there some code added to the latest version that can help on this issue?
>
> Regards,
> Diego
>
More information about the Users
mailing list