[strongSwan] Tunnel stability issues after upgrade from 4.5.2 to 5.5.1

Martijn Grendelman martijn.grendelman at isaac.nl
Wed Mar 7 10:52:54 CET 2018 

Hi,

I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)
for a long time. We have about 70 ESP tunnels with 19 different
endpoints, most of them IKEv1. The setup has been rock solid for years,
with tunnel outages being extremely rare, and almost always the remote
side's fault.

Last week, I upgraded the system to Debian Stretch (with StrongSwan
5.5.1), and since then, a number of tunnels (but not all of them) have
stability issues. The issue appears to be that CHILD_SA's are not
established when needed, or they disappear after some time. I haven't
really discovered a pattern, and I'm a bit overwhelmed by Charon's
logging output at higher levels. The problems are restricted to IKEv1
connections, IKEv2 connections seem unaffected. There don't seem to be
any issues establishing IKE SAs.

Since I didn't make any changes to the configuration in the course of
the upgrade, I can imagine that my config is not up to the standards of
version 5. I pasted relevant parts of my config below. Are there things
that can be improved?

I am sorry I can't be more concrete. I am mostly looking for pointers on
how to solve the issues.

If I want to know why a CHILD_SA is not established, what logging
settings should I use? I'd like some pointers to what kind of messages
to look for, and at what level from which subsystem they would be
logged. Currently, I have this:

        /var/log/charon.log {
            time_format = %b %e %T
            ike_name = yes
            append = yes
            default = 1
            cfg = 4
            net = 0
            flush_line = yes
        }

The problem is, that with 70 tunnels, raising the default log level
higher than 1 leads to A LOT of logging (GBs / day) which quickly
becomes hard to digest.

Here are my 'default' config and some config samples for connections
that suffer from these problems. The example describes two tunnels to
the same endpoint. Only 'leftsubnet' differs. In total, there are 16
tunnels to this endpoint, all sharing the same IKE SA. They only differ
in left- and rightsubnet. Does this make sense?

conn %default
        ikelifetime=8h
        keylife=1h
        rekeymargin=9m
        authby=secret
        keyexchange=ikev2
        mobike=no
        auto=start
        leftfirewall=no
        lefthostaccess=no
        closeaction=restart
        dpdaction=restart
        keyingtries=%forever

conn hq_uk_b4a
        left=<left ip>
        leftsubnet=172.17.1.0/24
        right=<right ip>
        rightsubnet=10.53.13.0/24
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024
        keyexchange=ikev1
        ikelifetime=8h

conn hq_uk_b4b
        left=<left ip>
        leftsubnet=172.17.5.0/24
        right=<right ip>
        rightsubnet=10.53.13.0/24
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024
        keyexchange=ikev1
        ikelifetime=8h

Hoping for some useful pointers...

Best regards,
Martijn Grendelman.

More information about the Users mailing list