[strongSwan] Rekey Collisions

Steve Lee steve.lee at zynstra.com
Tue Jul 29 13:17:21 CEST 2014

Hi, I'm running strongswan 5.1.1 in site-site configuration using NAT-T between 2 VMs where both hosts have been created from the same image. Both sites also have time synced using NTP.

Generally its working fine (although getting 5% packet loss when pinging) but periodically (daily) one or more tunnels seem to stop working. After some investigation, it seemed that these coincide with a rekey collision where both sides create a rekey jobs at (to the nearest second) the same time. When this happens I dont see any specific errors in the logs.

The relevant config parameters are


So I have a few questions

1. Why do we keep seeing the collisions, surely the rekeyfuzz would make this pretty unlikely or does the way the host were built and/or time sync affect the randomness of rekeyfuzz?

2. When we get a collision why dont we see an error and why doesnt it retry given the keyingtries parameter?

3. Is it recommended that only one side should do rekeying (i.e. set rekey=no on the other)?



Steve Lee

Steve Lee
Senior Architect
Phone: +44 (0)7474 647674

Zynstra is a private limited company registered in England and Wales (registered number 07864369).  Our registered office is 5 New Street Square, London, EC4A 3TW and our headquarters are at Bath Ventures, Broad Quay, Bath, BA1 1UD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140729/687be84c/attachment.html>

More information about the Users mailing list