[strongSwan] Data transfer stops
Tobias Brunner
tobias at strongswan.org
Fri Aug 4 17:31:56 CEST 2017
Hi Yuri,
> I changed logging settings as you suggested. Full logs are in attachments.
Thanks. What lifetimes did you configure now? It seems the CHILD_SAs
are rekeyed immediately after they got established (i.e. the settings
you mentioned in your first email can't be in use here).
Anyway, I think I see what the problem is. With the new rekeying code
the old inbound IPsec SA will remain in the kernel for a few seconds in
order to process delayed packets (the default is 5 seconds, which can be
configured via charon.delete_rekeyed_delay). During that time the
CHILD_SA object remains in state CHILD_DELETING. However, CHILD_SAs in
that state will prevent the IKE_SA from getting reauthenticated ("unable
to reauthenticate in CHILD_SA DELETING state, delaying for Xs" is
logged). Because with your rekey lifetimes there is always a CHILD_SA
in state CHILD_DELETING (actually multiple, as they are rekeyed
immediately after establishing) the IKE_SA is never replaced until it
finally is destroyed due to the hard lifetime. I'd say with normal
rekey timings this shouldn't be a problem (i.e. when there is enough
time to retry the reauthentication before the IKE_SA is terminated if
such a collision should occur). It's also no issue if you use IKE
rekeying (reauth=no) as CHILD_SAs are then migrated.
Regards,
Tobias
More information about the Users
mailing list