[strongSwan] Rekey Collisions

Martin Willi martin at strongswan.org
Tue Jul 29 14:33:02 CEST 2014

Hi Steve,

> one or more tunnels seem to stop working

What does that exactly mean? What IKE version are you using?

> After some investigation, it seemed that these coincide with a rekey
> collision where both sides create a rekey jobs at (to the nearest
> second) the same time. When this happens I dont see any specific errors
> in the logs.

If charon detects rekey collisions, it should log that fact. But there
are many different collision scenarios; an excerpt from your log could
certainly help to analyze the issue.

> 1. Why do we keep seeing the collisions, surely the rekeyfuzz would
> make this pretty unlikely or does the way the host were built and/or
> time sync affect the randomness of rekeyfuzz?

Your system time should not have any effect; on most systems charon does
not use the system time anyway to schedule such events.

With your rekeymargin of 9m and 100% fuzz, collisions should be in fact
be very (very) rare. If this is reproducible, something is seriously

For these non-cryptographic operations, charon relies on a getpid() +
time() initialized random() calls. Not sure how your Hypervisor handles

> 2. When we get a collision why dont we see an error and why doesnt it
> retry given the keyingtries parameter?

keyingtries has no effect when handling rekey collisions. I think with
5.1.1 these collisions should be handled properly.

> 3. Is it recommended that only one side should do rekeying (i.e. set
> rekey=no on the other)?

Usually it is not required, as with a sane configuration collisions are
unlikely, and even if they happen should be handled gracefully, at least
between two strongSwan hosts.


More information about the Users mailing list