[strongSwan] vici/python interface errors

Tue Dec 3 12:50:31 CET 2019

Hi Tobias,

in fact, I see a bit different behaviour. Having the following code:

     t = v.terminate({
         'ike-id': ike_id,
         'timeout': 5000
     })
     try:
         for c in t:
             pass
     except Exception as e:
         print(e)

nothing happens to IKE_SA if I omit "for c in t" statement - Strongswan
don't report in the log "12[CFG] vici terminate IKE_SA #nnn" and don't
start processing, regardless of timeout and force parameters.

Processing starts only upon iterating of "t". This is every-time
reproduceable behaviour.

On 03.12.2019 13:39, Tobias Brunner wrote:
> Hi Volodymyr,
>
>> thanks a lot, it works. It worth to say, that timeout must be set to
>> reasonable value to allow Strongswan to finish the task. If set to -1 or
>> few milliseconds, it returns failure as well :)
> If you are referring to the returned error "terminating SA failed",
> that's because with -1 (or a short timeout) the code doesn't wait until
> the termination is fully completed (a regular termination causes DELETEs
> to be sent and until the peer either replies, or there is a timeout
> after several retransmits, it is not complete).  So you get that error
> because VICI doesn't know if the SA was actually terminated.  The
> termination is still initiated unless you receive the error "no matching
> SAs to terminate found", it just happens in the background.
>
> If you don't want to wait and send retransmits for DELETEs, use the
> "force" option, optionally combined with a timeout, so the code waits
> for a reply to the DELETEs for a while and then destroys the SA even if
> none was received.
>
> Regards,
> Tobias

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191203/36c4b789/attachment.html>