[strongSwan] charon dies and leaves core file
Tobias Brunner
tobias at strongswan.org
Fri Oct 23 15:55:39 CEST 2015
Hi Brad,
> I now have a simple way to cause the charon segfault every time:
> 1. Establish an IKEv2 connection between 2 strongSwan hosts
> 2. Before it rekeys take down the remote interface
> 3. After a couple retransmits, after it queues CHILD_REKEY task, bring
> back up the remote interface
> 4. You will see "unable to install inbound IPsec SA (SAD) in kernel"
Did you reduce charon.plugins.kernel-netlink.xfrm_acq_expires? If the
value is too low and you have several retransmits the inbound SPI might
already have expired when the response from the other peer is received.
Then the inbound SA can't be updated because it was already removed by
the kernel (this seems to happen in the log you sent in your earlier
email). The default value for this setting is 165, which equals the
default retransmission timeout [1].
> 5. You will see "CHILD_SA rekeying failed, trying again in 26 seconds"
> right before the segfault
OK, then I'm pretty sure this crash was fixed with 5.3.3. The main
problem was [2] and the call that actually triggers it here was removed
with [3] (there were some additional changes in the CHILD_SA rekeying
error handling).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
[2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1729df92
[3] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=70c5f1d4
More information about the Users
mailing list