[strongSwan] Data transfer stops

Tobias Brunner tobias at strongswan.org
Fri Aug 4 17:31:56 CEST 2017

Hi Yuri,

> I changed logging settings as you suggested. Full logs are in attachments.

Thanks.  What lifetimes did you configure now?  It seems the CHILD_SAs
are rekeyed immediately after they got established (i.e. the settings
you mentioned in your first email can't be in use here).

Anyway, I think I see what the problem is.  With the new rekeying code
the old inbound IPsec SA will remain in the kernel for a few seconds in
order to process delayed packets (the default is 5 seconds, which can be
configured via charon.delete_rekeyed_delay).  During that time the
CHILD_SA object remains in state CHILD_DELETING.  However, CHILD_SAs in
that state will prevent the IKE_SA from getting reauthenticated ("unable
to reauthenticate in CHILD_SA DELETING state, delaying for Xs" is
logged).  Because with your rekey lifetimes there is always a CHILD_SA
in state CHILD_DELETING (actually multiple, as they are rekeyed
immediately after establishing) the IKE_SA is never replaced until it
finally is destroyed due to the hard lifetime.  I'd say with normal
rekey timings this shouldn't be a problem (i.e. when there is enough
time to retry the reauthentication before the IKE_SA is terminated if
such a collision should occur).  It's also no issue if you use IKE
rekeying (reauth=no) as CHILD_SAs are then migrated.


More information about the Users mailing list