[strongSwan] up-host not always executed

Martin Willi martin at strongswan.org
Wed Nov 12 10:28:13 CET 2014


Hi Elmar,

> With Strongswan v5 (U5.2.1/K3.14.17-SMP) sometimes if a rekey happens
> (not sure, when exactly) the down-Script will be executed, but not the
> up-script.

strongSwan actually does not execute the updown() script for
CHILD_SA/Quick Mode rekeying, as the SA stays the same. 

> We have played with the options "rekey" and "reauth", but it doesn't
> change anything.

IKEv1 does not know the concept of rekeying for ISAKMP-SAs, it always
re-authenticates. Further, updown() hooks do not get invoked, either, as
the Quick Modes get just migrated to the new ISAKMP-SA, but stay intact.

> charon: 09[IKE] <chbet2_aa|79> closing CHILD_SA chbet2_aa{3} with SPIs c9e5d10b_i (0 bytes) c5c00be6_o (216656 bytes) and TS 10.10.110.1 === 10.10.120.1 
> updown.sh: Stopping gre tunnel chbet2_aa
> chbet1fw01 charon: 12[IKE] <chbet2_aa|79> CHILD_SA chbet2_aa{3} established with SPIs cf6022da_i cf5223e2_o and TS 10.10.110.1 === 10.10.120.1

Hard to say what exactly goes wrong without a more detailed log. Would
be interesting to see what exactly happens, which peer starts rekeying
etc.

To make sure IKEv1 Quick Mode rekeying works as expected, you should
make sure that:
      * Rekey lifetimes (lifetime, rekeymargin, rekeyfuzz) are exactly
        the same on your peers
      * left/rightsubnets are configured with the same subnets, i.e. no
        implicit narrowing takes place.

If that is not the case, charon might have difficulties to correctly
detect rekeying, and invokes the hooks not correctly.

Regards
Martin



More information about the Users mailing list