[strongSwan] IPsec in unstable network

Zesen Qian strongswan-users at riaqn.com
Sun Feb 22 02:12:34 CET 2015


Hello Noel:
Actualy I 've increased charon.retransmit_tries to 1024 before that log,
you can see the retransmit count up to 8 (rather than 5 as the default)
but it still lost the connection..
Is there any other thing I can do to overcome this type of network? or
is IPsec designed to work in such a network?

Noel Kuntze <noel at familie-kuntze.de> writes:

> Hello Zesen,
>
> After looking at the log, it looks like the state of the IPsec SAs
> on the two sides got unsynchronized because of the repeated loss of IKE messages.
> You can't do a lot about this except increase the amount of retransmissions.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 20.02.2015 um 11:34 schrieb Zesen Qian:
>> Hello list,
>> I 'm using strongswan in an unstable network, by 'unstable' I mean there
>> may be 5 minutes out of an hour, that I cannot connect to the server.
>> Most of the time I can establish the connection smoothly, but after
>> several hours or several days, I lost the connection to server.
>>
>> charon.log: https://bpaste.net/show/63b9d0e1dfc6
>> ipsec.statusall: https://bpaste.net/show/ec586241759a
>>
>> At this point I cannot ping hosts on the other side of tunnel, however
>> if I do a ipsec stop && ipsec start, the tunnel is up and everything
>> works again.
>>
>> Any comment is appreciated.
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
Zesen Qian (钱泽森)


More information about the Users mailing list