[strongSwan] HA resync issue

Thomas Egerer hakke_007 at gmx.de
Tue Aug 5 10:57:14 CEST 2014

Hi Emeric,

On 08/04/2014 10:25 AM, Emeric POUPON wrote:
> Hello,
> Thanks for your answer.
> Here is the configuration on the responder (which is in HA mode):
> -----
> conn %default
> 	ikelifetime=360m
> 	keylife=60m
> 	rekeymargin=3m
> 	keyingtries=1
> 	keyexchange=ikev2
> 	authby=secret
> conn sample-psk-3k
>       left=
>       leftid=srv.strongswan.org
>       leftsubnet=
>       right=%any
>       auto=add
>       esp=aes128-sha1-modp2048
>       ike=aes128-sha1-modp2048
> ----

With this configuration, the race condition I was talking about
will not occur.

> On the passive node I can see some lines that like:
> ...
>    (unnamed)[24]: CONNECTING, %any[%any]...%any[%any]
>    (unnamed)[24]: IKEv2 SPIs: dce7d8aa449c06ea_i 312cbeb706504d9d_r*
>    (unnamed)[24]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1
>    (unnamed)[23]: CONNECTING, %any[%any]...%any[%any]
>    (unnamed)[23]: IKEv2 SPIs: 090d4aa0884fd214_i 7ed0a8f6e8581328_r*
>    (unnamed)[23]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1
> ...
I guess you will have to manually check the log files on both
ends (active and passive) to see what gets sent and received
by the HA nodes. This way you can find out whether the missing
SAs are not sent by your active node or your passive node has
problems with it. Judging from your config your passive node's
charon should not have problems to find appropriate


More information about the Users mailing list