[strongSwan] charon dies and leaves core file

Brad Johnson bjohnson at ecessa.com
Fri Oct 23 22:18:54 CEST 2015


Hi Tobias,
I installed your patches [2] and [3] and I am happy to say that it looks 
like that fixed the problem. At least so far I have run my testing all 
day without any charon crashes. We will decide whether to update to 
5.3.3 or just go with these patches for now. Gentoo does not yet support 
a strongSwan 5.3.3 ebuild, but we can create our own if we decide to go 
that way.
Thank you very much for your help.

Kind Regards,
Brad Johnson

On 10/23/2015 08:55 AM, Tobias Brunner wrote:
> Hi Brad,
>
>> I now have a simple way to cause the charon segfault every time:
>> 1. Establish an IKEv2 connection between 2 strongSwan hosts
>> 2. Before it rekeys take down the remote interface
>> 3. After a couple retransmits, after it queues CHILD_REKEY task, bring
>> back up the remote interface
>> 4. You will see "unable to install inbound IPsec SA (SAD) in kernel"
> Did you reduce charon.plugins.kernel-netlink.xfrm_acq_expires?  If the
> value is too low and you have several retransmits the inbound SPI might
> already have expired when the response from the other peer is received.
>   Then the inbound SA can't be updated because it was already removed by
> the kernel (this seems to happen in the log you sent in your earlier
> email).  The default value for this setting is 165, which equals the
> default retransmission timeout [1].
>
>> 5. You will see "CHILD_SA rekeying failed, trying again in 26 seconds"
>> right before the segfault
> OK, then I'm pretty sure this crash was fixed with 5.3.3.  The main
> problem was [2] and the call that actually triggers it here was removed
> with [3] (there were some additional changes in the CHILD_SA rekeying
> error handling).
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
> [2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1729df92
> [3] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=70c5f1d4
>



More information about the Users mailing list