[strongSwan] VICI: Stale SA's found even after unloading the connection.
Vignesh Kesavan
Vignesh.Kesavan at riverbed.com
Wed Apr 4 12:21:02 CEST 2018
Hi,
We are using Strongswan 5.5.3 and VICI python library to program IPSEC tunnels.
We use load_conn/unload_conn api's to configure/delete a tunnel from strongswan respectively.
This problem arises when we try to unload a tunnel which is in CONNECTING state. On issuing unload_conn, connection is getting deleted(verified using swanctl -list-conns). But SA continue to exist and charon retries to establish the tunnel(verified using swanctl -list-sas). Ideally we expect the SA to get deleted after unload.
Please find attached python script that we used to simulated the problem. The destination used in the script(10.10.10.1) is not a reachable host. So tunnel is in connecting state. In this sate, after calling unload_conn, connection is getting deleted. But SA exists.
Please suggest a way to overcome from this problem.
Note:
1. We tried calling Terminate api before calling unload. Even that didnt help. We ended in the same behavior(Can be seen from the logs attached (python_output.txt))
2. This problem is not seen on tunnels which are in established state. Unload_conn delete's connection and SA's properly.
Thanks
Vignesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: load.py
Type: application/octet-stream
Size: 1693 bytes
Desc: load.py
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: charon_logs.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: python_output.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180404/d9d422ad/attachment-0001.txt>
More information about the Users
mailing list