[strongSwan] Rekey Collisions
Steve Lee
steve.lee at zynstra.com
Tue Jul 29 13:17:21 CEST 2014
Hi, I'm running strongswan 5.1.1 in site-site configuration using NAT-T between 2 VMs where both hosts have been created from the same image. Both sites also have time synced using NTP.
Generally its working fine (although getting 5% packet loss when pinging) but periodically (daily) one or more tunnels seem to stop working. After some investigation, it seemed that these coincide with a rekey collision where both sides create a rekey jobs at (to the nearest second) the same time. When this happens I dont see any specific errors in the logs.
The relevant config parameters are
ikelifetime=3h
keylife=1h
rekeymargin=9m
keyingtries=%forever
rekeyfuzz=100%???
reauth=no
So I have a few questions
1. Why do we keep seeing the collisions, surely the rekeyfuzz would make this pretty unlikely or does the way the host were built and/or time sync affect the randomness of rekeyfuzz?
2. When we get a collision why dont we see an error and why doesnt it retry given the keyingtries parameter?
3. Is it recommended that only one side should do rekeying (i.e. set rekey=no on the other)?
?
Regards
Steve Lee
Steve Lee
Senior Architect
Phone: +44 (0)7474 647674
www.zynstra.com<http://www.zynstra.com/>
Zynstra is a private limited company registered in England and Wales (registered number 07864369). Our registered office is 5 New Street Square, London, EC4A 3TW and our headquarters are at Bath Ventures, Broad Quay, Bath, BA1 1UD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140729/687be84c/attachment.html>
More information about the Users
mailing list