[strongSwan] VICI: Stale SA's found even after unloading the connection.

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 5 18:44:10 CEST 2018


Hello Vignesh,

That is intended and normal behaviour. It is not a problem. You can implement your desired behaviour by terminating the IKE SAs with the connection configuration's name.

Kind regards

Noel

On 04.04.2018 12:21, Vignesh Kesavan wrote:
>
> Hi,
>
>  
>
> We are using Strongswan 5.5.3 and VICI python library to program IPSEC tunnels.
>
>  
>
> We use load_conn/unload_conn api’s to configure/delete a tunnel from strongswan respectively.
>
>  
>
> This problem arises when we try to unload a tunnel which is in CONNECTING state. On issuing unload_conn, connection is getting deleted(verified using swanctl –list-conns). But SA continue to exist and charon retries to establish the tunnel(verified using swanctl –list-sas). Ideally we expect the SA to get deleted after unload.
>
>  
>
> Please find attached python script that we used to simulated the problem. The destination used in the script(10.10.10.1) is not a reachable host. So tunnel is in connecting state. In this sate, after calling unload_conn, connection is getting deleted. But SA exists.
>
>  
>
> Please suggest a  way to overcome from this problem.
>
>  
>
> */_Note: _/*
>
> 1. We tried calling Terminate api before calling unload. Even that didnt help. We ended in the same behavior(Can be seen from the logs attached (python_output.txt))
>
> 2. This problem is not seen on tunnels which are in established state. Unload_conn delete’s  connection and  SA's properly.
>
>  
>
> Thanks
>
> Vignesh
>


More information about the Users mailing list