[strongSwan] VICI: Stale SA's found even after unloading the connection.

Vignesh Kesavan Vignesh.Kesavan at riverbed.com
Sun Apr 8 14:17:42 CEST 2018 

Hi Noel, 

Thanks for your reply. 

As mentioned in previous mail, we did try using vici terminate api before calling unload to flush the stale entry. But problem still exist(Logs attached in previous mail).  Is there any other api to terminate the session?

Also, Can you please help me to understand why there is a difference in behavior between unload_conn of session's in established and connecting state?

Thanks
Vignesh Kesavan

-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting] 
Sent: Thursday, April 05, 2018 10:14 PM
To: Vignesh Kesavan <Vignesh.Kesavan at riverbed.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] VICI: Stale SA's found even after unloading the connection.

Hello Vignesh,

That is intended and normal behaviour. It is not a problem. You can implement your desired behaviour by terminating the IKE SAs with the connection configuration's name.

Kind regards

Noel

On 04.04.2018 12:21, Vignesh Kesavan wrote:
>
> Hi,
>
>  
>
> We are using Strongswan 5.5.3 and VICI python library to program IPSEC tunnels.
>
>  
>
> We use load_conn/unload_conn api’s to configure/delete a tunnel from strongswan respectively.
>
>  
>
> This problem arises when we try to unload a tunnel which is in CONNECTING state. On issuing unload_conn, connection is getting deleted(verified using swanctl –list-conns). But SA continue to exist and charon retries to establish the tunnel(verified using swanctl –list-sas). Ideally we expect the SA to get deleted after unload.
>
>  
>
> Please find attached python script that we used to simulated the problem. The destination used in the script(10.10.10.1) is not a reachable host. So tunnel is in connecting state. In this sate, after calling unload_conn, connection is getting deleted. But SA exists.
>
>  
>
> Please suggest a  way to overcome from this problem.
>
>  
>
> */_Note: _/*
>
> 1. We tried calling Terminate api before calling unload. Even that didnt help. We ended in the same behavior(Can be seen from the logs attached (python_output.txt))
>
> 2. This problem is not seen on tunnels which are in established state. Unload_conn delete’s  connection and  SA's properly.
>
>  
>
> Thanks
>
> Vignesh
>

More information about the Users mailing list