[strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration

Marco Berizzi pupilla at hotmail.com
Mon Jan 8 17:12:52 CET 2018


Hello everyone,

I'm running strongswan 5.6.1 on slackware linux 64 bit
I have found a little problem with my setup. Sometimes
mobile users main mode and quick mode are not dropped
after ike/esp lifetime. Here is my config setup:

conn rw-mobile
        right=%any
        compress=yes
        leftcert=osw-cert.pem
        leftupdown=/etc/ipsec.d/updown/_updown.strongswan.X11
        keylife=80m
        ikelifetime=8h
        rekey=no
        keyingtries=1
        leftid=fsw-ve at aive.it
        ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha384-ecp384
        esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha256-ecp384

conn mobile
        also=rw-mobile
        auto=add
        leftsubnet=10.180.0.0/16
        rightsubnet=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10
        left=82.184.99.254

And here is an example of ipsec statusall output:

mobile[393]: ESTABLISHED 3 days ago, 82.184.99.254[CN=Gateway]...195.46.216.198[CN=Jessica]
mobile[393]: IKEv1 SPIs: 15ae977b997e4475_i 3e72597006e642fe_r*, rekeying disabled
mobile[393]: IKE proposal: AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
mobile{298}:  INSTALLED, TUNNEL, reqid 260, ESP in UDP SPIs: c5a4f249_i a21eed36_o
mobile{298}:  AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 20978 bytes_i (365 pkts, 268111s ago), 417068 bytes_o (373 pkts, 268111s ago), rekeying disabled
mobile{298}:   10.180.0.0/16 === 10.247.200.180/32

As you can see this IKE/ESP SA is not dropped after more
than 74 hours.
The mobile user is defunct but strongswan will not remove
that IKE/ESP SA till when the user will reconnect.

Is this the expected behaviour?


More information about the Users mailing list