[strongSwan] Problem with 'auto=start' on unused SA

Emeric POUPON emeric.poupon at stormshield.eu
Thu Jul 31 09:38:10 CEST 2014


Yes you are right about the rekeymargin, but that was set for another test.

I have the feeling there is something wrong in the 'auto=start' behavior, since you can easily end up with a CHILD SA down as long as the IKE SA is not reset.

As far as I understand, there is no way to keep a tunnel up and running forever?


----- Mail original -----
De: "Martin Willi" <martin at strongswan.org>
À: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: users at lists.strongswan.org
Envoyé: Mercredi 30 Juillet 2014 18:07:19
Objet: Re: [strongSwan] Problem with 'auto=start' on unused SA


> 	rekeymargin=1s

At least for productive setups, you definitely should avoid such short
margins. Not unlikely that rekeying does not complete within that
second. The kernel then triggers a delete before the SA has been

> If I send some trafic in order to trigger the SP, I get a SADB_ACQUIRE
> message from the kernel but strongswan complains there is no trap set.
> This sounds like a bug, I mean 'start' would imply 'route'. But maybe I
> missed something? 

No, "start" does not imply "route". It just negotiates the tunnel, but
removes any IPsec policy if it is closed. Only with "route" you'll get
persistent trap policies.

Unfortunately, there is no "start+route", hence you'll have to stick
with "route". That does not trigger the tunnel immediately if there is
no traffic, but this is usually not a problem. If you instantly need
that tunnel, you'll have to trigger it manually, for example with "ipsec
up" or by generating matching traffic.


More information about the Users mailing list