[strongSwan] "loosing" Security Associations

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Jul 9 11:16:45 CEST 2013


On Mon, 2013-07-08 at 13:28 -0400, John A. Sullivan III wrote:
> On Mon, 2013-07-08 at 09:25 +0200, Jozef Kutej wrote:
> > On 07/08/2013 12:12 AM, John A. Sullivan III wrote:
> > > This looks like exactly the problem we're having and I've not found a
> > > solution.  I do not think the problem is the network connection - John
> > 
> > since ~5days we are running with:
> > 
> >        reauth=no
> >        rekey=no
> > 
> > which solved the instability problems and no SA got lost.
> > 
> > How secure is ipsec without re-keying? What's the risk?
> <snip>
> 
> I left a ping running through a GRE tunnel overnight to see if the
> problem had anything to do with link stability and the network
> connection is fine but the IPSec tunnel drops.  We have tried using
> reauth=no only and that does not help (nor would we really want to do
> it).
> 
> Something must be rekeying or the session will cease.  Thus, I assume
> you have just turned off rekeying on the one side.  That's a possible
> solution and one that one often needs to implement when dealing with
> other VPN products but I would hope we can find out why SWAN is failing
> to rekey properly with SWAN! Thanks - John
> 
<snip>
So far, disabling rekeying on the problematic system solves the problem
but that's a bad workaround.  I don't see what is different about that
system.  We are still in our build out so there are only four gateways
involved right now.  There are two bare-metal, direct Internet exposed
systems and two AWS instances.  I would expect the latter to give me
rekeying grief between virtualization and NAT but they are fine as is
one bare metal system.  All those connections are stable but the one
other bare metal system drops its connections to all the other three if
we allow it to rekey.

Any hints on where to look next? I've cranked up debugging but nothing
it jumping out at me.  Thanks - John





More information about the Users mailing list