[strongSwan] sending DHCP RELEASE failed: No buffer space available

Harald Dunkel harri at afaics.de
Sat Dec 3 15:42:32 CET 2016 

On 12/03/16 14:52, Harald Dunkel wrote:
> Hi folks,
> 
> charon mentions a few lines in syslog every day saying
> 
> sending DHCP RELEASE failed: No buffer space available
> 
> I found https://lists.strongswan.org/pipermail/users/2015-February/007438.html
> but this seems to be a different problem.
> 
> What would be your advice?
> 

PS: Plattform is Debian, strongswan 5.5.1. dhcp.conf:

dhcp {
    identity_lease = yes
    interface = eth1
    load = yes
    # server = 255.255.255.255
}

ipsec.conf is attached. Sorry, I should have included this right
from the start.

Usually there are about 15+ road warriors connected, all using
DHCP.


Regards
Harri
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file
# see	https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
#	https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

config setup
	# forbid parallel use of certificates (default).
	# uniqueids=never
	# http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
	charondebug="dmn 1, mgr 1, ike 1, chd 1, cfg 1, net 1"

#
# default for all road warrior and P2P IPsec connections
conn %default
	left		= gateway.example.com
	fragmentation	= yes

	leftsubnet	= 10.200.0.0/16
	leftfirewall	= no
	ikelifetime	= 1d
	lifetime	= 1h
	rekey		= yes
	dpdaction	= none		# default: no dead peer detection
	dpddelay	= 30s		# default: 30s
	dpdtimeout	= 150s		# default: 150s, used for IKEv1 only

#
# common road warrior params
conn roadwarrior
	leftcert	= gateway.example.com.pem
	leftsendcert	= always
	dpdaction	= clear
	dpddelay	= 90s
	dpdtimeout	= 300s

#
# IKEv2 using RSA authentication
conn IPSec-IKEv2
	keyexchange	= ikev2
	also		= roadwarrior
	ike		= aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
	esp		= aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
	right		= %any
	rightsendcert	= ifasked
	rightsourceip	= %dhcp
	lifetime	= 70m		# workaround for rekey annoyance on Windows
	auto		= add

#
# IKEv1 using xauth (i.e. enter password)
conn IPsec-IKEv1
	keyexchange	= ikev1
	# rekey		= no
	also		= roadwarrior
	ike		= aes256-sha1-modp1536!
	esp		= aes256-sha1!
	rightauth	= pubkey
	right		= %any
	rightsourceip	= %dhcp
	rightauth2	= xauth
	auto		= add

### include /var/lib/strongswan/ipsec.conf.inc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161203/7ee927f2/attachment.sig>

More information about the Users mailing list