[strongSwan] Lots of reconnections for a rekey/reauth, and packet drops

Hoggins! hoggins at radiom.fr
Wed Nov 29 10:12:17 CET 2017

Hello Noel,

Thanks for these insights !

Le 28/11/2017 à 23:30, Noel Kuntze a écrit :
> Hi,
>>     Nov 28 16:52:29 yomama charon: 06[KNL] creating delete job for
>>     CHILD_SA ESP/0xc4bd0735/
>>     Nov 28 16:52:29 yomama charon: 06[JOB] CHILD_SA
>>     ESP/0xc4bd0735/ not found for delete
> Whatever causes these problems is your root cause and needs to be fixed.
I had indeed narrowed down my attention on this but I couldn't find any
litterature or example of other people experiencing this, so I'm kinda
stuck because I don't know why this happens, although I'm aware that
this "needs to be fixed" :)
>>     Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
>>     command not found
> Also, what are you doing in the updown script?
Absolutely nothing, I don't have an updown script (or didn't define
any), my guess is that what's happening here is this :
https://wiki.strongswan.org/issues/745. My StrongSwan installation is in
/usr/local, that would explain it, right ?
>>     Nov 28 16:52:29 yomama charon: 05[IKE] received DELETE for IKE_SA
>>     net-net[6]
> What are the logs on the other side?
> I guess this all happens because the two sides disagree in what IKE_SA and CHILD_SA to use.
Yes, that's my guess too, but I can't figure out why considering my
ipsec.conf. And oh by the way I upgraded StrongSwan on NODE 1 and now
they're both 5.6.x.
Just happened again (it does it at every reauth interval), here are the
logs for both nodes :
NODE 1 : https://pastebin.com/hYWL9dBy
NODE 2 : https://pastebin.com/NDbj8MRQ
> Kind regards
> Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/5d3aa33d/attachment.sig>

More information about the Users mailing list