[strongSwan] VICI: Stale SA's found even after unloading the connection.

Vignesh Kesavan Vignesh.Kesavan at riverbed.com
Wed Apr 4 12:21:02 CEST 2018


We are using Strongswan 5.5.3 and VICI python library to program IPSEC tunnels.

We use load_conn/unload_conn api's to configure/delete a tunnel from strongswan respectively.

This problem arises when we try to unload a tunnel which is in CONNECTING state. On issuing unload_conn, connection is getting deleted(verified using swanctl -list-conns). But SA continue to exist and charon retries to establish the tunnel(verified using swanctl -list-sas). Ideally we expect the SA to get deleted after unload.

Please find attached python script that we used to simulated the problem. The destination used in the script( is not a reachable host. So tunnel is in connecting state. In this sate, after calling unload_conn, connection is getting deleted. But SA exists.

Please suggest a  way to overcome from this problem.

1. We tried calling Terminate api before calling unload. Even that didnt help. We ended in the same behavior(Can be seen from the logs attached (python_output.txt))
2. This problem is not seen on tunnels which are in established state. Unload_conn delete's  connection and  SA's properly.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: load.py
Type: application/octet-stream
Size: 1693 bytes
Desc: load.py
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: charon_logs.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: python_output.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment-0001.txt>

More information about the Users mailing list