[strongSwan] Data transfer stops

Yuri Е. Gutnikov gutnikov at rnd.stcnet.ru
Mon Aug 21 17:09:26 CEST 2017 

Hi, Tobias.

I got very high rekey rate because of low values of lifepackets and 
marginpackets parameters. I changed these parameters to

     lifepackets=65535
     marginpackets=6500

and decrease the rekey rate. But data transfer still stops after some 
time (as I can see - after ikelifetime parameter value +- margingtime 
range).

I could agree with your argument about wrong timings in my systems,  but 
how to explain fact that old version of Strongswan (5.3) works normally 
with my set-up? My kernel is not so ancient - it corresponds version 
3.10 (or something like), 2.6.54 - it is RHEL notation.

Sincerely,

Yuri Gutnikov



21.08.2017 15:44, Tobias Brunner пишет:
> Hi Yuri,
>
>> I reproduced situation with our normal lifetimes
>>
>>      ikelifetime=60m
>>      lifetime=20m
>>      margintime=3m
> Something is just not right on your system(s) regarding the timings.
> For instance, on the initiator, the CHILD_SA test1{4339} is established:
>
>> Fri, 2017-08-18 13:44 15[IKE] <test1|1> CHILD_SA test1{4339} established with SPIs c0d6fa14_i c76d59f9_o and TS 10.0.0.1/32 192.168.22.0/24 === 10.0.1.1/32 192.168.23.0/24
> And then the rekeying is triggered pretty much instantly:
>
>> Fri, 2017-08-18 13:44 05[KNL] creating rekey job for CHILD_SA ESP/0xc76d59f9/10.76.7.129
>> ...
>> Fri, 2017-08-18 13:44 10[CHD] <test1|1> CHILD_SA test1{4339} state change: INSTALLED => REKEYING
> So it seems something is either not configured properly, or there is a
> problem with the time functions used here (in the kernel or userland).
> Maybe an issue with your ancient kernel (2.6.54)?
>
> Regards,
> Tobias

-- 
С уважением,
Юрий Гутников
ФГУП "НТЦ"Атлас"

-------------- next part --------------
config setup

conn %default
	ikelifetime=60m
	lifetime=20m
	margintime=3m
	lifepackets=65535
	marginpackets=6500
	rekeyfuzz=100%
	keyingtries=%forever
	keyexchange=ikev2

conn test1
	left=10.76.7.161
	leftcert=hostCert.pem
	leftsubnet=192.168.22.0/24,10.0.0.1/32
	right=10.76.7.129
	rightid="C=RU, O=Atlas, CN=host1.stcnet.ru"
	rightsubnet=192.168.23.0/24,10.0.1.1/32
	auto=add

conn host-host-natt
	left=192.168.0.10
	leftcert=hostCert.pem
	leftsubnet=192.168.1.0/24
	right=192.168.0.11
	rightid="C=RU, O=Atlas, CN=host1.stcnet.ru"
	rightsubnet=192.168.2.0/24
	forceencaps=yes
	auto=add
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initiator_charon.log.bz2
Type: application/x-bzip
Size: 165959 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170821/0142bf8e/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: responder_charon.log.bz2
Type: application/x-bzip
Size: 164511 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170821/0142bf8e/attachment-0003.bin>

More information about the Users mailing list