[strongSwan] Tunnel stability issues after upgrade from 4.5.2 to 5.5.1

Martijn Grendelman martijn.grendelman at isaac.nl
Wed Mar 7 21:38:02 CET 2018 

Hi Tom,

Thank you, I will give that a try. I also updated StrongSwan to v5.6.2.
Let's see if it helps!

Best regards,
Martijn.

Op 7-3-2018 om 16:35 schreef Tom Rymes:
> Martin,
>
> I can't help with the more technical portions of your query, but I can
> confirm that using auto=route has proven to be more reliable than
> auto=start, as a dropped tunnel seems more likely to be brought back
> up automatically.
>
> I had asked specifically about that setting a few years ago, and this
> is the advice I received:
>
> https://lists.strongswan.org/pipermail/users/2015-July/008552.html
>
> Tom
>
> On Mar 7, 2018, at 1:53 AM, Martijn Grendelman
> <martijn.grendelman at isaac.nl <mailto:martijn.grendelman at isaac.nl>> wrote:
>
>> Hi,
>>
>> I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)
>> for a long time. We have about 70 ESP tunnels with 19 different
>> endpoints, most of them IKEv1. The setup has been rock solid for years,
>> with tunnel outages being extremely rare, and almost always the remote
>> side's fault.
>>
>> Last week, I upgraded the system to Debian Stretch (with StrongSwan
>> 5.5.1), and since then, a number of tunnels (but not all of them) have
>> stability issues. The issue appears to be that CHILD_SA's are not
>> established when needed, or they disappear after some time. I haven't
>> really discovered a pattern, and I'm a bit overwhelmed by Charon's
>> logging output at higher levels. The problems are restricted to IKEv1
>> connections, IKEv2 connections seem unaffected. There don't seem to be
>> any issues establishing IKE SAs.
>>
>> Since I didn't make any changes to the configuration in the course of
>> the upgrade, I can imagine that my config is not up to the standards of
>> version 5. I pasted relevant parts of my config below. Are there things
>> that can be improved?
>>
>> I am sorry I can't be more concrete. I am mostly looking for pointers on
>> how to solve the issues.
>>
>> If I want to know why a CHILD_SA is not established, what logging
>> settings should I use? I'd like some pointers to what kind of messages
>> to look for, and at what level from which subsystem they would be
>> logged. Currently, I have this:
>>
>>         /var/log/charon.log {
>>             time_format = %b %e %T
>>             ike_name = yes
>>             append = yes
>>             default = 1
>>             cfg = 4
>>             net = 0
>>             flush_line = yes
>>         }
>>
>> The problem is, that with 70 tunnels, raising the default log level
>> higher than 1 leads to A LOT of logging (GBs / day) which quickly
>> becomes hard to digest.
>>
>> Here are my 'default' config and some config samples for connections
>> that suffer from these problems. The example describes two tunnels to
>> the same endpoint. Only 'leftsubnet' differs. In total, there are 16
>> tunnels to this endpoint, all sharing the same IKE SA. They only differ
>> in left- and rightsubnet. Does this make sense?
>>
>> conn %default
>>         ikelifetime=8h
>>         keylife=1h
>>         rekeymargin=9m
>>         authby=secret
>>         keyexchange=ikev2
>>         mobike=no
>>         auto=start
>>         leftfirewall=no
>>         lefthostaccess=no
>>         closeaction=restart
>>         dpdaction=restart
>>         keyingtries=%forever
>>
>> conn hq_uk_b4a
>>         left=<left ip>
>>         leftsubnet=172.17.1.0/24
>>         right=<right ip>
>>         rightsubnet=10.53.13.0/24
>>         ike=aes256-sha1-modp1024
>>         esp=aes256-sha1-modp1024
>>         keyexchange=ikev1
>>         ikelifetime=8h
>>
>> conn hq_uk_b4b
>>         left=<left ip>
>>         leftsubnet=172.17.5.0/24
>>         right=<right ip>
>>         rightsubnet=10.53.13.0/24
>>         ike=aes256-sha1-modp1024
>>         esp=aes256-sha1-modp1024
>>         keyexchange=ikev1
>>         ikelifetime=8h
>>
>> Hoping for some useful pointers...
>>
>> Best regards,
>> Martijn Grendelman.
>>

-- 
Met vriendelijke groet,
Kind regards,
Martijn <mailto:martijn.grendelman at isaac.nl> 		
Martijn Grendelman  Infrastructure Architect  
T: +31 (0)40 264 94 44   

ISAAC <https://www.isaac.nl> 		
Marconilaan 16   5621 AA Eindhoven   The Netherlands
T: +31 (0)40 290 89 79   www.isaac.nl <https://www.isaac.nl>

Dit e-mail bericht is alleen bestemd voor de geadresseerde(n). Indien
dit bericht niet voor u is bedoeld wordt u verzocht de afzender hiervan
op de hoogte te stellen door het bericht te retourneren en de inhoud
niet te gebruiken. Aan dit bericht kunnen geen rechten worden ontleend.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180307/ea825a57/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: genafmjnlglobffj.gif
Type: image/gif
Size: 43 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180307/ea825a57/attachment-0003.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nddkeddgooaoiehh.gif
Type: image/gif
Size: 6155 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180307/ea825a57/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ggdogfdnnehphlca.gif
Type: image/gif
Size: 2826 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180307/ea825a57/attachment-0005.gif>

More information about the Users mailing list