[strongSwan] Some IKEv1 sessions fail to ever establish

Stephen Scheck sscheck.ssni at gmail.com
Wed Sep 20 21:48:58 CEST 2017


Hello,

I've got a strongSwan server setup with several thousand connection
definitions. Occasionally, whenever all clients attempt to connect (also
from a single strongSwan instance), some of them fail to establish and seem
to be "forgotten", never again attempting to reconnect until the strongSwan
processes are restarted.

In the logs for the server, for connections which fail to establish, I see
only entries like these:

[NET] received packet: from 172.17.5.190[500] to 192.168.0.208[500] (204
bytes)
[NET] sending packet: from 192.168.0.208[500] to 172.17.5.190[500] (172
bytes)
[IKE] 172.17.5.190 is initiating a Aggressive Mode IKE_SA
[IKE] 172.17.5.190 is initiating a Aggressive Mode IKE_SA
[CFG] looking for pre-shared key peer configs matching
192.168.0.208...172.17.5.190[CLIENT_172_17_5_190]
[NET] ignoring IKE_SA setup from 172.17.5.190, half open IKE_SA count of
102 exceeds limit of 100
[NET] deleting half open IKE_SA with 172.17.5.190 after timeout

On the client, only the send/receive messages:

[NET] sending packet: from 172.17.5.190[500] to 192.168.0.208[500] (443
bytes)
[NET] received packet: from 192.168.0.208[500] to 172.17.5.190[500] (172
bytes)

In all of the connection definitions on both sides, I've set:

    keyingtries=%forever

I thought this might solve the problem but it does not.

Are there any other settings I might have missed which influence
reconnection/hold-down behavior?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170920/ba8cfb90/attachment.html>


More information about the Users mailing list