[strongSwan] Keeps adding tunnels
Martin Willi
martin at strongswan.org
Wed Apr 16 15:10:14 CEST 2014
Hi Peter,
> This works just fine and it gives me one tunnel if I check with *ipsec
> status*. I do how ever after half an hour or so get more and more active
> tunnels, and it gets unresponsive.
> ikelifetime=60m
> keylife=20m
> rekeymargin=1
As you set rekeymargin to only 1 second, both peers start
re-authenticating the IKE connection almost exactly every 59:59, and
your CHILD_SAs get rekeyed every 19:59.
This most likely leads to exchange collisions, which are especially
problematic when doing re-authentication. This can explain the
additional state that gets created during such collisions.
You should try to set a sane value for rekeymargin, man ipsec.conf for
details. If you don't need a periodic recheck of the used credentials,
I'd also recommend to disable re-authentication in favor of IKE_SA
rekeying, have a look at the reauth ipsec.conf option.
Regards
Martin
More information about the Users
mailing list