[strongSwan] Tunnel stability issues after upgrade from 4.5.2 to 5.5.1

Martijn Grendelman martijn.grendelman at isaac.nl
Thu Mar 8 13:17:18 CET 2018


Thank you all for responding. In my case, I don't think it was related
to having mulitple child SAs per connection. Most of my connections do,
but I found at least one case with only one child SA, where the problem
was present. In any case, I followed Tom's and Noel's advice and set

        auto = route
        dpdaction = clear

and that seems to have solved the issue. Thanks again.

Best regards,
Martijn Grendelman

Op 8-3-2018 om 11:46 schreef Noel Kuntze:
> Hi,
> That's because charon doesn't reestablish tunnels in any case, like pluto did. Use auto=route, instead of auto=start.
> An example of such a case is if the other peer deletes the iKE SA or CHILD SA without establishing a new one at the same time.
> You can have different IKE SAs for CHILD_SAs by setting the strongswan.conf option charon.reuse_ikesa to 0.
>>        charon.reuse_ikesa [yes]
>>               Initiate  CHILD_SA  within  existing IKE_SAs (always enabled for
>>               IKEv1).
> Kind regards
> Noel
> On 07.03.2018 22:20, Justin Pryzby wrote:
>> On Wed, Mar 07, 2018 at 10:52:54AM +0100, Martijn Grendelman wrote:
>>> I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)
>>> for a long time.
>> [...]
>>> Last week, I upgraded the system to Debian Stretch (with StrongSwan
>>> 5.5.1), and since then, a number of tunnels (but not all of them) have
>>> stability issues. The issue appears to be that CHILD_SA's are not
>>> established when needed,
>> Maybe you know that in 5.0, IKEv1 was integrated into charon and separate pluto
>> daemon was retired:
>> https://www.strongswan.org/blog/2012/07/02/strongswan-5.0.0-released.html
>> https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1
>> https://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html
>> https://wiki.strongswan.org/projects/strongswan/wiki/500
>> Just wondering: are all the tunnels with issues have multiple child SAs (or,
>> the tunnels without issues all have only one child SA).
>> I recently reported an issue here, also related to a migration/update from 4.5,
>> and started to suspect that multiple child SAs may be involved..
>> https://wiki.strongswan.org/issues/2535
>> Note, I believe swanctl.conf allows configuring child SAs to use separate IKEs
>> - avoiding the non-configurable behavior in starter+ipsec.conf: "added child to
>>   existing configuration".  However that doesn't work for everyone(us) due to
>> unique policy on remote peers.
>> Justin

Met vriendelijke groet,
Kind regards,
Martijn <mailto:martijn.grendelman at isaac.nl> 		
Martijn Grendelman  Infrastructure Architect  
T: +31 (0)40 264 94 44   

ISAAC <https://www.isaac.nl> 		
Marconilaan 16   5621 AA Eindhoven   The Netherlands
T: +31 (0)40 290 89 79   www.isaac.nl <https://www.isaac.nl>

Dit e-mail bericht is alleen bestemd voor de geadresseerde(n). Indien
dit bericht niet voor u is bedoeld wordt u verzocht de afzender hiervan
op de hoogte te stellen door het bericht te retourneren en de inhoud
niet te gebruiken. Aan dit bericht kunnen geen rechten worden ontleend.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180308/ee952118/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pifjgbfeefojcanf.gif
Type: image/gif
Size: 43 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180308/ee952118/attachment-0003.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpdbjilcmeikocbb.gif
Type: image/gif
Size: 6155 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180308/ee952118/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kpblbbhoiilphcpf.gif
Type: image/gif
Size: 2826 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180308/ee952118/attachment-0005.gif>

More information about the Users mailing list