[strongSwan] Keeps adding tunnels
Peter Osterberg
j at vel.nu
Wed Apr 16 18:29:34 CEST 2014
Hi Martin,
thank you! It seems very stable now. I removed the rekeymargin
altogether and let Strongswan use the default value.
Have no idea where I got my config from, it from one or another sample I
have found... =)
/Peter
Martin Willi skrev 2014-04-16 15:10:
> Hi Peter,
>
>> This works just fine and it gives me one tunnel if I check with *ipsec
>> status*. I do how ever after half an hour or so get more and more active
>> tunnels, and it gets unresponsive.
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=1
> As you set rekeymargin to only 1 second, both peers start
> re-authenticating the IKE connection almost exactly every 59:59, and
> your CHILD_SAs get rekeyed every 19:59.
>
> This most likely leads to exchange collisions, which are especially
> problematic when doing re-authentication. This can explain the
> additional state that gets created during such collisions.
>
> You should try to set a sane value for rekeymargin, man ipsec.conf for
> details. If you don't need a periodic recheck of the used credentials,
> I'd also recommend to disable re-authentication in favor of IKE_SA
> rekeying, have a look at the reauth ipsec.conf option.
>
> Regards
> Martin
>
More information about the Users
mailing list