[strongSwan] keyingtries = %forever not working

Noel Kuntze noel at familie-kuntze.de
Tue Dec 23 20:38:17 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Vey,

That is a known issue. As work around, I advise to use auto=route and dpd to
restart connections. Use dpdaction=restart on one side and dpdaction=clear on the other side.
Having dpdaction=restart on both sides will break the tunnel and cause problems.
Setting auto=route makes strongSwan initiate a connection to the other side in case there is no connection
and a packet matching the associated IPsec policies is received.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

On 22.12.2014 16:05, vey at hm.edu wrote:
> Hello,
>
> I have a problem with an ipsec-connection. It seems that the statement
> 'keyingtries = %forever' doesn't work. When the ipsec breaks down,
> strongswan tries to rekey but stops after 5 retries:
>
> root at gw-left:~# more /var/log/daemon.log
> ...
> Dec 19 16:45:47 gw-left charon: 12[IKE] sending DELETE for ESP CHILD_SA
> with SPI 87654321
> Dec 19 16:45:47 gw-left charon: 12[IKE] CHILD_SA closed
> Dec 19 16:45:47 gw-left charon: 12[ENC] generating INFORMATIONAL response
> 5 [ D ]
> Dec 19 16:45:47 gw-left charon: 12[NET] sending packet: from
> <left_IP>[500] to <right_IP>[500] (96 bytes)
> Dec 19 16:49:24 gw-left charon: 03[KNL] creating rekey job for ESP
> CHILD_SA with SPI 12345678 and reqid {2}
> Dec 19 16:49:24 gw-left charon: 03[IKE] establishing CHILD_SA
> gw-left_gw-right{2}
> Dec 19 16:49:24 gw-left charon: 03[ENC] generating CREATE_CHILD_SA request
> 7 [ N(REKEY_SA) SA No KE TSi TSr ]
> Dec 19 16:49:24 gw-left charon: 03[NET] sending packet: from
> <left_IP>[500] to <right_IP>[500] (1296 bytes)
> Dec 19 16:49:28 gw-left charon: 14[IKE] retransmit 1 of request with
> message ID 7
> Dec 19 16:49:28 gw-left charon: 14[NET] sending packet: from
> <left_IP>[500] to <right_IP>[500] (1296 bytes)
> Dec 19 16:49:35 gw-left charon: 08[IKE] retransmit 2 of request with
> message ID 7
> Dec 19 16:49:35 gw-left charon: 08[NET] sending packet: from
> <left_IP>[500] to <right_IP>[500] (1296 bytes)
> Dec 19 16:49:48 gw-left charon: 13[IKE] retransmit 3 of request with
> message ID 7
> Dec 19 16:49:48 gw-left charon: 13[NET] sending packet: from
> <left_IP>[500] to <right_IP>[500] (1296 bytes)
> Dec 19 16:50:12 gw-left charon: 02[IKE] retransmit 4 of request with
> message ID 7
> Dec 19 16:50:12 gw-left charon: 02[NET] sending packet: from
> <left_IP>[500] to <right_IP>[500] (1296 bytes)
> Dec 19 16:50:54 gw-left charon: 09[IKE] retransmit 5 of request with
> message ID 7
> Dec 19 16:50:54 gw-left charon: 09[NET] sending packet: from
> <left_IP>[500] to <right_IP>[500] (1296 bytes)
> Dec 19 16:52:09 gw-left charon: 15[KNL] creating delete job for ESP
> CHILD_SA with SPI 98765432 and reqid {2}
> Dec 19 16:52:09 gw-left charon: 10[IKE] giving up after 5 retransmits
>
> After this entries there is no log entry from Charon until I restart
> Strongswan (/etc/init.d/ipsec restart). After a restart the connection is
> established immediately and works fine (until it breaks down the next
> time).
> The problem only occurs on a link with a bit higher latency (RTT of 400ms
> but almost no jitter and loss).
> Is it possible to configure Strongswan to never give up? Any ideas?
>
>
> Here are some more Information:
>
> OS is Debian 7 (Wheezy).
> Strongswan is installed from Wheezy-Backports.
> All Packages are up-to-date (using 'apt-get update; apt-get -y upgrade')
>
>
> root at gw-left:~# uname -a
> Linux gw-left 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u2 x86_64 GNU/Linux
>
>
> root at gw-left:~# ipsec version
> Linux strongSwan U5.2.1/K3.2.0-4-amd64
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
>
>
> The IPSec-Config is the same on both sides:
> root at gw-left:~# more /etc/ipsec.conf
> # /etc/ipsec.conf
>
> conn %default
>     auto = start
>     esp = aes256-sha512-modp8192!
>     ike = aes256-sha512-modp8192!
>     keyingtries = %forever
>     mobike = no
>     leftfirewall = yes
>     rightfirewall = yes
>     leftsendcert = never
>     rightsendcert = never
>
>
> conn host2host
>     type = transport
>
>     # gw-left
>     left = <left_IP>
>     leftid = "CN=gw-left.domain.tld"
>     leftcert = gw-left_cert.pem
>
>     # gw-right
>     right = <right_IP>
>     rightid = "CN=gw-right.domain.tld"
>     rightcert = gw-right_cert.pem
>
>
> conn net2net
>     also = host2host
>     type = tunnel
>
>     # gw-left
>     leftsubnet = <left_Networks>/24
>
>     # gw-right
>     rightsubnet = <right_Networks>/24
>
> Thank you guys!
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmcSpAAoJEDg5KY9j7GZYbAkP/0cuofFFrVcz9pB7hi+O7Mnd
WxSSJaA57OEt3Dv/mF667zBuaCGHzHc8LxF/n1nM1TogK1vquV6O2k/go6eAfyd4
/1qTY77hgKzFsAgyGCzM4lIaA9MEb2B8sd9XLeJBM01/Y3aZqm2/1XHNqxDK0bB6
XgnHP4dH8ieyi5EHJ886ON6FksOmGZCd7ei00aFEtb30lACtODoIXqjIC0NPqxWc
OHMJzKjc3cOH14jONl5gCH2e4o/t0jxEDTbc25eDKBuD7w00FlRkXEpN+5FzyR1n
r4HOl1/JqOaVghOsSPPLbfNt9LpJ5Nw3JPy6t+2XQ2n2CFUy8aNRjkApwYru2vxt
OYzDhJfwxnNbe4gSD3jXxLVEheAUpGgmG9XnhA42OxnFYX5qr9Dkmj/jMxho6C9X
MMj8aMsuCkfo/+Y4S8zkCCG6/dqvC0q+otRqrqfYledO3GIex33PLwH7rTctJq25
axZ8mh+zasXfGxShUOKIir/0TsyKiO1BV/NZajIaG3XMdzBgAmyXFxqgXT9ij92z
goJSUAAENzhdbFT8P8S2fjgK8E3tdxVUQ09Si+WoldoTkgaq0CQkwVGsuND+R9kM
oHLFUxgKJXcmiJ79gUrlzpdx114de8PzJvs6YwyXBcvK5dxguhQOI2ZDTJxe3DAj
54+vfCPwkLn+z5By5iqy
=6RBd
-----END PGP SIGNATURE-----

More information about the Users mailing list