[strongSwan] Keeps adding tunnels

Martin Willi martin at strongswan.org
Wed Apr 16 15:10:14 CEST 2014

Hi Peter,

> This works just fine and it gives me one tunnel if I check with *ipsec
> status*. I do how ever after half an hour or so get more and more active
> tunnels, and it gets unresponsive.

>      ikelifetime=60m
>      keylife=20m
>      rekeymargin=1

As you set rekeymargin to only 1 second, both peers start
re-authenticating the IKE connection almost exactly every 59:59, and
your CHILD_SAs get rekeyed every 19:59.

This most likely leads to exchange collisions, which are especially
problematic when doing re-authentication. This can explain the
additional state that gets created during such collisions.

You should try to set a sane value for rekeymargin, man ipsec.conf for
details. If you don't need a periodic recheck of the used credentials,
I'd also recommend to disable re-authentication in favor of IKE_SA
rekeying, have a look at the reauth ipsec.conf option.


More information about the Users mailing list