[strongSwan] Rekey Collisions

Steve Lee steve.lee at zynstra.com
Thu Jul 31 13:40:38 CEST 2014 

The logs I pasted were for the previous night and only for the bit where the collision occurred - I do have the logs for last night but there's rather a lot of it as there are multiple tunnels - I'll run it again with the patch and fewer tunnels.

Running with  these parameters now to try to increase the frequency of the problem

        ikelifetime=15m
        keylife=5m
        rekeymargin=1m
        keyingtries=%forever
        rekeyfuzz=0%
        keyexchange=ikev2
        left=10.0.20.177
        leftcert=/etc/certificates/.intersite.myx509.crt
        leftid="CN=intersite-customer-0000-0003, OU=HAP Customers"
        leftfirewall=yes
        auto=route
        dpdaction=hold
        reauth=no


Thanks
Steve

________________________________________
From: Martin Willi <martin at strongswan.org>
Sent: 31 July 2014 11:16
To: Steve Lee
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Rekey Collisions

Steve,

> If you cant see any problem in the log, I'll gather some more data
> next time it happens.

> 15[IKE] CHILD_SA rekey collision lost, deleting rekeyed child

> 13[IKE] CHILD_SA rekey collision won, deleting old child

That all looks like it works as expected. Each peer deletes the CHILD_SA
it should, and the peers should end up with the same rekeyed CHILD_SA.

> the SPIs of the left and right ends match at first but this morning
> they are different.

That's definitely strange. Even if the peers don't agree on the
CHILD_SAs to keep or delete, I don't see why the SAs should be out of
sync.

Did this happen during the log you provided, or can you provide a log
when this happens?



Also, I've attached a patch that adds some additional debugging to check
if we falsely lookup the CHILD_SA by the outbound SPI where this is not
intended. Just a wild guess, not sure if it is related.

> do I just accept that it will and do my best to reduce the likelihood
> of collisions

Even if they happen, it is no issue here. Collisions get resolved just
fine every time for the many collisions I've produced. That should be
true for both 5.1.1 and 5.2.0.

Regards
Martin

More information about the Users mailing list