[strongSwan] IPsec in unstable network

Noel Kuntze noel at familie-kuntze.de
Mon Feb 23 21:50:20 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Zesesn,

I think this might be a problem with the code, rather then with the settings.
I would like to get a statement from Tobias or Martin on this, rather than speculation
or some guesses from me.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 22.02.2015 um 02:12 schrieb Zesen Qian:
> Hello Noel:
> Actualy I 've increased charon.retransmit_tries to 1024 before that log,
> you can see the retransmit count up to 8 (rather than 5 as the default)
> but it still lost the connection..
> Is there any other thing I can do to overcome this type of network? or
> is IPsec designed to work in such a network?
>
> Noel Kuntze <noel at familie-kuntze.de> writes:
>
>> Hello Zesen,
>>
>> After looking at the log, it looks like the state of the IPsec SAs
>> on the two sides got unsynchronized because of the repeated loss of IKE messages.
>> You can't do a lot about this except increase the amount of retransmissions.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 20.02.2015 um 11:34 schrieb Zesen Qian:
>>> Hello list,
>>> I 'm using strongswan in an unstable network, by 'unstable' I mean there
>>> may be 5 minutes out of an hour, that I cannot connect to the server.
>>> Most of the time I can establish the connection smoothly, but after
>>> several hours or several days, I lost the connection to server.
>>>
>>> charon.log: https://bpaste.net/show/63b9d0e1dfc6
>>> ipsec.statusall: https://bpaste.net/show/ec586241759a
>>>
>>> At this point I cannot ping hosts on the other side of tunnel, however
>>> if I do a ipsec stop && ipsec start, the tunnel is up and everything
>>> works again.
>>>
>>> Any comment is appreciated.
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU65KMAAoJEDg5KY9j7GZYhkUQAIeywmgJyH/3v9lvcQaJSkgu
n5XBk6D+bbtgMNEKLT3j3/t/JyRjReaL1iaqayKvTIHt78IkPvWCeTTQ93eLMxKt
9+9yo73E29AkHTcmXY/vcj25kcHg6DDf+TlLw9hiXojeH1wJgl63VrPGm5lOTX7M
56DO1N0CykfJH6g8ImBi6T7GjBSTruhPNeTFR8qaeIl/KP5ENxoipwpGpMOmNF1k
aI4fvDMLxEVM+g99v147o6+st3ujV2b3I26i0iY0txUOybWUfV9H0e647JQNoa8f
DcvbbmCAUI937DyojvU1DYtF5AVqSgUhM4mMAua+mEbXa1UyQkzbIXcqLXFJk1gM
wgRTSJpS1NUdxVyyvYtuJ+Dw5R4T/JmZieod0PMiLY3OjfL0j5h7QKe8Q/3E8Ejk
ONv9mCGOdZ7BYyDigt+2+7HhnIXLEIU0a2EtNkx3kQAWYzPGzMehZX+b480auW6/
dwD/1gvUL4TLrTaHfCzHugSJ1/NvWVl5PfmDBcPg28l2S/RNMfjIFgH1jElyeyyD
tsRVx08w4ruYJjRfTqBBedHz+IVK1RYEF9ArSMPy/cJWqAxGMeq8VY5vThOiPyi8
vWYjM7LZMIowp8afJv+VYLmZC69dLLhTvorar+WpJxWlaUf4bdQaMdUFcrOm+0wz
e0yCvZUsuKIBEkkOEIcs
=ItRm
-----END PGP SIGNATURE-----



More information about the Users mailing list