[strongSwan] Packet loss on rekeying
Diego Woitasen
diego at woitasen.com.ar
Tue Sep 18 02:43:02 CEST 2012
On Mon, Sep 17, 2012 at 6:51 PM, Richard Andrews
<richard.andrews at symstream.com> wrote:
> If you have the default of reauth=yes then the IKE SA must be completely
> shut down (and all child SAs) while IKE is restarted. This leads to a
> short period where no child SAs are able to carry traffic.
>
> I suggest you try the same test with ikeliftime=10min (lifetime=30s) and
> verify this is the issue.
>
> If you use IKEv2 and reauth=no then you may avoid this problem.
>
>
> On Mon, 2012-09-17 at 17:23 -0300, Diego Woitasen wrote:
>> Hi,
>> I'm testing my Strongswan installation and I discover that I have
>> packet loss on rekeying. I set this values to reproduce the problem:
>>
>> ikelifetime=60s
>> lifetime=30s
>> rekeymargin=20s
>> rekeyfuzz=0%
>>
>> And every time a rekey appears in the log file, some packets are lost
>> (testing with ping -A -c 100 in a infinite loop).
>>
>> I'm using 4.5.2 from Squeeze Backports.
>>
>> I have three questions:
>>
>> 1- Is this normal? Shall I expect some packet loss during the rekey?
>>
>> 2- If not, what can I do to debug this?
>>
>> 3- Are there some code added to the latest version that can help on this issue?
>>
>> Regards,
>> Diego
>>
>
I tried with reauth=no and I still have packet loss.
--
Diego Woitasen
More information about the Users
mailing list