[strongSwan] Keeps adding tunnels

Peter Osterberg j at vel.nu
Wed Apr 16 18:29:34 CEST 2014

Hi Martin,

thank you! It seems very stable now. I removed the rekeymargin
altogether and let Strongswan use the default value.

Have no idea where I got my config from, it from one or another sample I
have found... =)


Martin Willi skrev 2014-04-16 15:10:
> Hi Peter,
>> This works just fine and it gives me one tunnel if I check with *ipsec
>> status*. I do how ever after half an hour or so get more and more active
>> tunnels, and it gets unresponsive.
>>      ikelifetime=60m
>>      keylife=20m
>>      rekeymargin=1
> As you set rekeymargin to only 1 second, both peers start
> re-authenticating the IKE connection almost exactly every 59:59, and
> your CHILD_SAs get rekeyed every 19:59.
> This most likely leads to exchange collisions, which are especially
> problematic when doing re-authentication. This can explain the
> additional state that gets created during such collisions.
> You should try to set a sane value for rekeymargin, man ipsec.conf for
> details. If you don't need a periodic recheck of the used credentials,
> I'd also recommend to disable re-authentication in favor of IKE_SA
> rekeying, have a look at the reauth ipsec.conf option.
> Regards
> Martin

More information about the Users mailing list