[strongSwan] Problem with 'auto=start' on unused SA
Emeric POUPON
emeric.poupon at stormshield.eu
Wed Jul 30 16:49:49 CEST 2014
Hello,
I'm running a FreeBSD kernel and strongswan 5.2.0 using the pfkeyv2 interface.
I have an ennoying behavior on this connection:
----
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=3m
keylife=30s
rekeymargin=1s
keyingtries=%forever
keyexchange=ikev2
mobike=no
conn net-net
left=172.18.0.54
leftcert=sn_2.cert.pem
leftid=sn_2 at strongswan.org
leftsubnet=172.54.0.0/16
right=172.18.0.53
rightid=sn_1 at strongswan.org
rightsubnet=172.53.0.0/16
auto=start
----
Notice the very low keylife.
The connection is successfully established and the SAD and SPD are properly populated in the FreeBSD kernel.
If the SA is used, I get a SADB_EXPIRE message from the kernel and the CHILD SA is rekeyed.
If the SA is not used:
- the SA pair is flushed once the 'hard' kernel timeout is reached.
- 'ipsec statusall' shows the CHILD SA is in state 'rekeying active' but nothing happens
If I send some trafic in order to trigger the SP, I get a SADB_ACQUIRE message from the kernel but strongswan complains there is no trap set.
I have to wait for the IKE SA to be rekeyed in order for the CHILD_SA to be established again.
This sounds like a bug, I mean 'start' would imply 'route'. But maybe I missed something?
What do you think?
Regards,
Emeric Poupon
More information about the Users
mailing list