[strongSwan] "loosing" Security Associations

John A. Sullivan III jsullivan at opensourcedevel.com
Fri Jul 12 03:13:52 CEST 2013


On Tue, 2013-07-09 at 05:16 -0400, John A. Sullivan III wrote:
> On Mon, 2013-07-08 at 13:28 -0400, John A. Sullivan III wrote:
> > On Mon, 2013-07-08 at 09:25 +0200, Jozef Kutej wrote:
> > > On 07/08/2013 12:12 AM, John A. Sullivan III wrote:
> > > > This looks like exactly the problem we're having and I've not found a
> > > > solution.  I do not think the problem is the network connection - John
> > > 
> > > since ~5days we are running with:
> > > 
> > >        reauth=no
> > >        rekey=no
> > > 
> > > which solved the instability problems and no SA got lost.
> > > 
> > > How secure is ipsec without re-keying? What's the risk?
> > <snip>
> > 
> > I left a ping running through a GRE tunnel overnight to see if the
> > problem had anything to do with link stability and the network
> > connection is fine but the IPSec tunnel drops.  We have tried using
> > reauth=no only and that does not help (nor would we really want to do
> > it).
> > 
> > Something must be rekeying or the session will cease.  Thus, I assume
> > you have just turned off rekeying on the one side.  That's a possible
> > solution and one that one often needs to implement when dealing with
> > other VPN products but I would hope we can find out why SWAN is failing
> > to rekey properly with SWAN! Thanks - John
> > 
> <snip>
> So far, disabling rekeying on the problematic system solves the problem
> but that's a bad workaround.  I don't see what is different about that
> system.  We are still in our build out so there are only four gateways
> involved right now.  There are two bare-metal, direct Internet exposed
> systems and two AWS instances.  I would expect the latter to give me
> rekeying grief between virtualization and NAT but they are fine as is
> one bare metal system.  All those connections are stable but the one
> other bare metal system drops its connections to all the other three if
> we allow it to rekey.
> 
> Any hints on where to look next? I've cranked up debugging but nothing
> it jumping out at me.  Thanks - John
> 
<snip>
Alas, my optimism was short lived.  We are still dropping SAs - John





More information about the Users mailing list