[strongSwan] Lots of reconnections for a rekey/reauth, and packet drops

Hoggins! hoggins at radiom.fr
Fri Dec 1 10:50:47 CET 2017

Hello Tobias,

Le 30/11/2017 à 18:16, Tobias Brunner a écrit :
> Hi,
> Combining reauthentication with closeaction=restart is a bad idea.  Note
> that reauth=no does not disable reauthentication if the other peer has
> reauth=yes configured, see [1].

Yes, I removed the reauth=no option. It had been kept here because it
was a "good" option to avoid packet losses when reauthenticating, but
then we discovered the "make_before_break" that had seemed to solve our
And reading the "closeaction" documentation shows that adding it to our
configuration was not our smartest move : I guess that our client tried
to restart the connection when it received a legit CLOSE action, as it's
the normal behavior when renewing, but then there was two parallel
attempts, which is not a good thing and might have caused our problem.

I just applied these new settings and restarted StrongSwan, I'll keep
you posted.

Thanks !

> Regards,
> Tobias
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2-Responder-Behavior

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171201/4a739d50/attachment.sig>

More information about the Users mailing list