[strongSwan] Rekey Collisions
steve.lee at zynstra.com
Thu Jul 31 13:40:38 CEST 2014
The logs I pasted were for the previous night and only for the bit where the collision occurred - I do have the logs for last night but there's rather a lot of it as there are multiple tunnels - I'll run it again with the patch and fewer tunnels.
Running with these parameters now to try to increase the frequency of the problem
leftid="CN=intersite-customer-0000-0003, OU=HAP Customers"
From: Martin Willi <martin at strongswan.org>
Sent: 31 July 2014 11:16
To: Steve Lee
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Rekey Collisions
> If you cant see any problem in the log, I'll gather some more data
> next time it happens.
> 15[IKE] CHILD_SA rekey collision lost, deleting rekeyed child
> 13[IKE] CHILD_SA rekey collision won, deleting old child
That all looks like it works as expected. Each peer deletes the CHILD_SA
it should, and the peers should end up with the same rekeyed CHILD_SA.
> the SPIs of the left and right ends match at first but this morning
> they are different.
That's definitely strange. Even if the peers don't agree on the
CHILD_SAs to keep or delete, I don't see why the SAs should be out of
Did this happen during the log you provided, or can you provide a log
when this happens?
Also, I've attached a patch that adds some additional debugging to check
if we falsely lookup the CHILD_SA by the outbound SPI where this is not
intended. Just a wild guess, not sure if it is related.
> do I just accept that it will and do my best to reduce the likelihood
> of collisions
Even if they happen, it is no issue here. Collisions get resolved just
fine every time for the many collisions I've produced. That should be
true for both 5.1.1 and 5.2.0.
More information about the Users