[strongSwan] why multiple INSTALLED TUNNEL ???

Tobias Brunner tobias at strongswan.org
Tue Apr 2 10:21:33 CEST 2019

Hi Jens,

> But after hours/days I have "hundreds" of these tunnels and they are
> getting more and more until I restart the deamon (on the client).
> Why does this happen?
> What would be the correct dpdaction or closeaction (if this is the problem).

If the connection is closed or the peer is not reachable anymore and the
existing SAs are recreated, there won't be any IPsec SA installed in the
kernel for a while.  Due to the trap policies (auto=route) another
CHILD_SA might be triggered if matching traffic is sent by the client.
If this happens multiple times, more and more CHILD_SAs will be
(re-)created.  So with auto=route setting the above options to 'clear'
is currently better (however, note that the SAs will then only be
recreated once the client sends matching traffic).  The same can happen
if trap policies are used with break-before-make reauthentication (the
default when using ipsec.conf, see [1]), so maybe using reauth=no is
also a good idea (or switching to make-before-break reauthentication if
the peer supports it).


[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

More information about the Users mailing list