[strongSwan] Lots of reconnections for a rekey/reauth, and packet drops
Hoggins!
hoggins at radiom.fr
Wed Nov 29 10:12:17 CET 2017
Hello Noel,
Thanks for these insights !
Le 28/11/2017 à 23:30, Noel Kuntze a écrit :
> Hi,
>
>> Nov 28 16:52:29 yomama charon: 06[KNL] creating delete job for
>> CHILD_SA ESP/0xc4bd0735/192.168.1.72
>> Nov 28 16:52:29 yomama charon: 06[JOB] CHILD_SA
>> ESP/0xc4bd0735/192.168.1.72 not found for delete
> Whatever causes these problems is your root cause and needs to be fixed.
I had indeed narrowed down my attention on this but I couldn't find any
litterature or example of other people experiencing this, so I'm kinda
stuck because I don't know why this happens, although I'm aware that
this "needs to be fixed" :)
>
>> Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
>> command not found
> Also, what are you doing in the updown script?
Absolutely nothing, I don't have an updown script (or didn't define
any), my guess is that what's happening here is this :
https://wiki.strongswan.org/issues/745. My StrongSwan installation is in
/usr/local, that would explain it, right ?
>
>> Nov 28 16:52:29 yomama charon: 05[IKE] received DELETE for IKE_SA
>> net-net[6]
> What are the logs on the other side?
> I guess this all happens because the two sides disagree in what IKE_SA and CHILD_SA to use.
Yes, that's my guess too, but I can't figure out why considering my
ipsec.conf. And oh by the way I upgraded StrongSwan on NODE 1 and now
they're both 5.6.x.
Just happened again (it does it at every reauth interval), here are the
logs for both nodes :
NODE 1 : https://pastebin.com/hYWL9dBy
NODE 2 : https://pastebin.com/NDbj8MRQ
>
> Kind regards
>
> Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/5d3aa33d/attachment.sig>
More information about the Users
mailing list