[strongSwan] Renegotiation when SPI missing
Steffen Heise
foolix81-nerd at yahoo.de
Mon Nov 25 19:17:46 CET 2013
Hello,
I have two host which communicate using IPSec in transport mode. IKE is working fine so far. I wanted to check how dependable the connection is and started to disturb strongswan. During the tests I continuously pinged through the connection.
My first test was to delete the SPI with
# ip xfrm state flush
the connection got down immediately (of course). While I have strongswan configured to use DPD I expected it to renegotiate automatically, but it didn't. Instead I got many log entries like this
charon: 07[KNL] querying SAD entry with SPI c6c44e8f failed: No such process (3)
charon: 07[IKE] sending DPD request
So it seems that charon is aware that the SPI is missing, but it does not try to renegotiate the connection. Why is that the case? Wouldn't it be resonable to renegotiate if the kernel says "No such process"??
Regards,
Steffen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131125/f8b9c13c/attachment.html>
More information about the Users
mailing list