[strongSwan] Random IPSEC IKE1 Dropping

Turnbough, Bradley E. bturnbough at belcan.com
Thu Jul 10 19:42:29 CEST 2014 

Can anyone help me out with this issue?  I know I have very few details to go off of, but at this point, I don't know what else is needed and what needs to be provided.

Thanks,

Brad
________________________________
From: Turnbough, Bradley E.
Sent: Wednesday, July 09, 2014 9:00 AM
To: users at lists.strongswan.org
Subject: Random IPSEC IKE1 Dropping

Hello All,

I'm currently running this config on an active strongswan box.  I am running CentOS 6.5 (fully patched) along side of strongswan version "Linux strongSwan U5.0.4/K2.6.32-431.3.1.el6.x86_6"

We upgraded a while back from a version that still used pluto to this new version (which uses charon)  We've started to experience random conn drops (primarilly on sa-01 and sa-05.  The only way to resolve this that I've found is to perform a 'service strongswan restart' This is not the only conn which experiences this, so I'm thinking this may be a configuration issue or a bug.  The problem is, is I don't necessarily know much about ipsec.  I'm hoping someone can help me out.  Can anyone?  Please?

conn customer-sa-01
  auto=start
  rightsubnet=A.0.0.0/8
  also=customer-default

conn customer-sa-02
  auto=start
  rightsubnet=B.C.0.0/16
  also=customer-default

conn customer-sa-03
  auto=start
  rightsubnet=D.E.0.0/16
  also=customer-default

conn customer-sa-04
  auto=start
  rightsubnet=F.G.0.0/15
  also=customer-default

conn customer-sa-05
  auto=start
  rightsubnet=H.I.0.0/15
  also=customer-default

conn customer-sa-06
  auto=start
  rightsubnet=J.K.0.0/16
  also=customer-default

conn customer-sa-07
  auto=start
  rightsubnet=L.M.0.0/16
  also=customer-default

conn customer-sa-08
  auto=start
  rightsubnet=N.O.P.Q/32
  also=customer-default

conn customer-default
  keyingtries=%forever
  authby=secret
  left=R.S.T.U
  leftsubnet=V.W.X.0/24
  right=Y.Z.AA.BB
  rightallowany=yes
  keyexchange=ikev1
  ikelifetime=480m
  keylife=3600s
  mobike=no
  ike=aes256-sha1-modp1024
  esp=3des-md5


_____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.

More information about the Users mailing list