[strongSwan] keyingtries = %forever not working

Mon Dec 22 16:05:01 CET 2014

Hello,

I have a problem with an ipsec-connection. It seems that the statement
'keyingtries = %forever' doesn't work. When the ipsec breaks down,
strongswan tries to rekey but stops after 5 retries:

root at gw-left:~# more /var/log/daemon.log
...
Dec 19 16:45:47 gw-left charon: 12[IKE] sending DELETE for ESP CHILD_SA
with SPI 87654321
Dec 19 16:45:47 gw-left charon: 12[IKE] CHILD_SA closed
Dec 19 16:45:47 gw-left charon: 12[ENC] generating INFORMATIONAL response
5 [ D ]
Dec 19 16:45:47 gw-left charon: 12[NET] sending packet: from
<left_IP>[500] to <right_IP>[500] (96 bytes)
Dec 19 16:49:24 gw-left charon: 03[KNL] creating rekey job for ESP
CHILD_SA with SPI 12345678 and reqid {2}
Dec 19 16:49:24 gw-left charon: 03[IKE] establishing CHILD_SA
gw-left_gw-right{2}
Dec 19 16:49:24 gw-left charon: 03[ENC] generating CREATE_CHILD_SA request
7 [ N(REKEY_SA) SA No KE TSi TSr ]
Dec 19 16:49:24 gw-left charon: 03[NET] sending packet: from
<left_IP>[500] to <right_IP>[500] (1296 bytes)
Dec 19 16:49:28 gw-left charon: 14[IKE] retransmit 1 of request with
message ID 7
Dec 19 16:49:28 gw-left charon: 14[NET] sending packet: from
<left_IP>[500] to <right_IP>[500] (1296 bytes)
Dec 19 16:49:35 gw-left charon: 08[IKE] retransmit 2 of request with
message ID 7
Dec 19 16:49:35 gw-left charon: 08[NET] sending packet: from
<left_IP>[500] to <right_IP>[500] (1296 bytes)
Dec 19 16:49:48 gw-left charon: 13[IKE] retransmit 3 of request with
message ID 7
Dec 19 16:49:48 gw-left charon: 13[NET] sending packet: from
<left_IP>[500] to <right_IP>[500] (1296 bytes)
Dec 19 16:50:12 gw-left charon: 02[IKE] retransmit 4 of request with
message ID 7
Dec 19 16:50:12 gw-left charon: 02[NET] sending packet: from
<left_IP>[500] to <right_IP>[500] (1296 bytes)
Dec 19 16:50:54 gw-left charon: 09[IKE] retransmit 5 of request with
message ID 7
Dec 19 16:50:54 gw-left charon: 09[NET] sending packet: from
<left_IP>[500] to <right_IP>[500] (1296 bytes)
Dec 19 16:52:09 gw-left charon: 15[KNL] creating delete job for ESP
CHILD_SA with SPI 98765432 and reqid {2}
Dec 19 16:52:09 gw-left charon: 10[IKE] giving up after 5 retransmits

After this entries there is no log entry from Charon until I restart
Strongswan (/etc/init.d/ipsec restart). After a restart the connection is
established immediately and works fine (until it breaks down the next
time).
The problem only occurs on a link with a bit higher latency (RTT of 400ms
but almost no jitter and loss).
Is it possible to configure Strongswan to never give up? Any ideas?

Here are some more Information:

OS is Debian 7 (Wheezy).
Strongswan is installed from Wheezy-Backports.
All Packages are up-to-date (using 'apt-get update; apt-get -y upgrade')

root at gw-left:~# uname -a
Linux gw-left 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u2 x86_64 GNU/Linux

root at gw-left:~# ipsec version
Linux strongSwan U5.2.1/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

The IPSec-Config is the same on both sides:
root at gw-left:~# more /etc/ipsec.conf
# /etc/ipsec.conf

conn %default
	auto = start
	esp = aes256-sha512-modp8192!
	ike = aes256-sha512-modp8192!
	keyingtries = %forever
	mobike = no
	leftfirewall = yes
	rightfirewall = yes
	leftsendcert = never
	rightsendcert = never

conn host2host
	type = transport

	# gw-left
	left = <left_IP>
	leftid = "CN=gw-left.domain.tld"
	leftcert = gw-left_cert.pem

	# gw-right
	right = <right_IP>
	rightid = "CN=gw-right.domain.tld"
	rightcert = gw-right_cert.pem

conn net2net
	also = host2host
	type = tunnel

	# gw-left
	leftsubnet = <left_Networks>/24

	# gw-right
	rightsubnet = <right_Networks>/24

Thank you guys!