[strongSwan] Tunnel stability issues after upgrade from 4.5.2 to 5.5.1

Justin Pryzby pryzby at telsasoft.com
Wed Mar 7 22:20:29 CET 2018


On Wed, Mar 07, 2018 at 10:52:54AM +0100, Martijn Grendelman wrote:
> I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)
> for a long time.
[...]

> Last week, I upgraded the system to Debian Stretch (with StrongSwan
> 5.5.1), and since then, a number of tunnels (but not all of them) have
> stability issues. The issue appears to be that CHILD_SA's are not
> established when needed,

Maybe you know that in 5.0, IKEv1 was integrated into charon and separate pluto
daemon was retired:
https://www.strongswan.org/blog/2012/07/02/strongswan-5.0.0-released.html
https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1
https://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html
https://wiki.strongswan.org/projects/strongswan/wiki/500

Just wondering: are all the tunnels with issues have multiple child SAs (or,
the tunnels without issues all have only one child SA).

I recently reported an issue here, also related to a migration/update from 4.5,
and started to suspect that multiple child SAs may be involved..
https://wiki.strongswan.org/issues/2535

Note, I believe swanctl.conf allows configuring child SAs to use separate IKEs
- avoiding the non-configurable behavior in starter+ipsec.conf: "added child to
  existing configuration".  However that doesn't work for everyone(us) due to
unique policy on remote peers.

Justin


More information about the Users mailing list