[strongSwan] Packet reordering problems

Martin Willi martin at strongswan.org
Thu Apr 10 17:13:23 CEST 2014

Hi Steffen,

> In the other cases the packet order seems correct (on the responder
> side) but arrive incorrectly on the initiator side:
> -> A
> B <-
> -> C
> D <-
> -> E1
> -> E2
> F1 <-
> G <-
> F2 <-

Is my assumption correct that you are initiating Main Mode, followed by
a transaction request (Mode Config exchange in Push Mode or XAuth)? Is G
the TRANSACTION request?

If yes: The problem arises from that fact that once strongSwan completes
Main Mode, it immediately starts with the transaction request. In a
network with some hops the transaction request might arrive before the
last Main Mode message.

strongSwan queues up transaction requests and processes them once Main
Mode is complete, but possible that Raccoon does not have such a
mechanism, and fails to process the transaction request if it does not
have received the last Main Mode message. So I see the following

      * Switch to Mode Config Pull when using Push (and no XAuth)
      * Disable XAuth when using it
      * Make strongSwan "delay" the transaction request

While it depends on your network what an appropriate delay is, it might
be the most practical approach.

charon has some useful strongswan.conf options for such things, namely
charon.send_delay and charon.send_delay_type, see [1]. To delay sending
of transaction requests, you could use something like:

charon {
  # delay in ms
  send_delay = 50
  # delay TRANSACTION messages only
  send_delay_type = 6

Not tested that in detail, but should be possible to delay that message
appropriately to avoid message reordering on your path.

Best Regards


More information about the Users mailing list