[strongSwan] Output hangs, eventually completes
Martin Willi
martin at strongswan.org
Tue Oct 14 10:22:48 CEST 2014
Hi,
> From the client, I ssh to the server to do work. I use this VPN without
> issue for many minutes. Then I perform some command like ‘ps -ef’ or
> ‘vi foo’ and the VPN output hangs. While ‘hung’, from another shell
> session I still see heartbeats on the VPN. If I wait around long enough
> (30 minutes or less), output from the command eventually is fully
> written after which I see a shell prompt.
Sounds like you are losing packets on your SSH TCP connection for some
time, and then after the problem is solved your connections comes back
to live.
The question is if you see any IKE activity (rekeying etc.) during that
"hung" and the "restore" events. The strongSwan log should give you more
information what exactly is going on during these events.
> While hung in one shell, using a different shell, I can connect to the
> same machine over the same VPN and work normally.
This implies that the connection on the IP level is ok, but something is
wrong on your TCP session layer; likely related to your virtual IP.
As you are using (the default) re-authentication, your IKE_SA gets
periodically re-negotiated. As this procedure includes the removal and
addition of your virtual IP, it is not unlikely that your TCP session
over that same IP breaks.
I'd recommend to set reauth=no to see if that helps. This should make
sure your virtual IP does not get reinstalled. The IKE_SA still gets
fresh key material, but the peer certificates don't get re-evaluated
periodically.
Regards
Martin
More information about the Users
mailing list