[strongSwan] MOBIKE task got stuck Strongswan version 5.3.2
Simon Chan
sialnije at gmail.com
Fri May 5 08:11:40 CEST 2017
Greetings,
One of our remote devices was broken and gone offline a month ago. Couple
days ago when we tried to bring up the replacement, failed to setup child
because the subnets were (and still are) in use.
ipsec status shows:
. . .
originalclient[4099]: ESTABLISHED 33 days ago,
10.1.1.1[10.1.1.1]...10.2.2.2[originalclient] NATT 4500
originalclient[4099]: IKEv2 SPIs: 773a315624330d4a_i 5c30dafa06974fc2_r*,
rekeying disabled
originalclient[4099]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
originalclient[4099]: Tasks queued: IKE_DELETE IKE_DELETE IKE_DELETE
IKE_DELETE IKE_DELETE
originalclient[4099]: Tasks active: IKE_MOBIKE
originalclient{8958}: INSTALLED, TUNNEL, reqid 1990, ESP in UDP SPIs:
c3eef4a7_i caca026c_o
originalclient{8958}: AES_GCM_16_128, 48 bytes_i (1 pkt, 2860607s ago), 48
bytes_o (1 pkt, 2860609s ago), rekeying disabled
originalclient{8958}: 10.10.10.0/24 === 10.20.20.0/24
There are many other connections with "Tasks active: IKE_MOBIKE". But they
do not have "Tasks queued: IKE_DELETE IKE_DELETE ...".
Can someone help with questions above MOBIKE tasks:
1. Any guesses on how MOBIKE task get stuck and won't timeout? Should there
be on-going re-tries?
2. I think charon is still sending keepalive messages to the peers with
MOBIKE task active, but no DPD is sent. This behavior seems to create the
situation that tunnels stay connect but they are really dead long ago.
3. Following Q2, DPD won't do any good because the MOBIKE task seems to
have higher priority then delete. Is this behavior fixed in 5.5 recently
(issues/1410)?
4. I need to support remote devices doing MOBIKE switch but I don't want
the VPN server in the office to perform MOBIKE switch. It is futile. There
is no secondary internet interface to switch to. Chaos ensure when charon
tries to find alternate paths on a 1000 tunnels. And apparently can leave
behind stuck MOBIKE tasks killing DPD. Can development team members point
out where I can tweak the source code to silently ignore MOBIKE jobs? If I
put mobike=no in ipsec.conf I think remote peers won't be able to do MOBIKE
switch.
Thanks a lot.
sialnije
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170504/7257eea4/attachment.html>
More information about the Users
mailing list