[strongSwan] Keeps building connections (2 up, 670 connecting)

Volodymyr Litovka doka.ua at gmx.com
Wed Nov 18 13:02:11 CET 2020


Hi Ben,

it makes sense to see into logs. Configure them using
charon-logging.conf or charon-systemd.conf according to
https://wiki.strongswan.org/projects/strongswan/wiki/Loggerconfiguration,
set higher levels for ike, cfg, chd, net sections and then reload using
'systemctl reload strongswan'. With very high probability, you'll find
the issue in the logs.

Thank you.

On 18.11.2020 12:46, strongswan.org at it-beheer.eu wrote:
>
> Good morning all,
>
> I have a Ubuntu server 20.04 with two Strongswan connections. One is
> fine and up all the time. The second is a copy of the first config
> with other IP addresses and an other secret and is all the time
> connecting even it has already established one connection working.
> Found one person that had something similar witch had something to do
> with set dpdaction and closeaction but after a few tries didn't get
> result and bringing down the connection all the time gave to much
> interruptions for the client. So basically i have a working connection
> and only get interruptions when it is being reestablished.
>
> Hope someone can tell me what i am doing wrong or if this is a problem
> at the other end or can me give me some pointers to debugging.
>
> ===== Conn1 ====
> conn Conn1
>  left=31.3.111.111
>  right=77.94.111.111
>  leftsubnet=10.33.3.0/24
>  rightsubnet=172.31.1.0/24
>  ike=aes256-sha1-modp1024
>  keyexchange=ikev2
>  reauth=no
>  ikelifetime=86400s
>  compress=no
>  authby=secret
>  esp=aes256-sha1-modp1024
>  type=tunnel
>  auto=start
>  keyingtries=%forever
>  dpdaction=restart
>  closeaction=restart
>
>
> ===== ipsec.secrects =====
> # This file holds shared secrets or RSA private keys for authentication.
>
> # RSA private key for this host, authenticating it to any other host
> # which knows the public part.
>
> %any 77.94.111.111 : PSK "<sec1>"
> %any 90.145.222.222 : PSK "<sec2>"
>
>
> Output from /sudo ipsec status
> =========================/
>
> Security Associations (2 up, 670 connecting):
>     Conn1[2466]: ESTABLISHED 16 minutes ago,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1{5461231}:  INSTALLED, TUNNEL, reqid 637, ESP SPIs:
> c1f5asdf_i 725asdf_o
>     Conn1{5461231}:   10.33.3.0/24 === 172.31.1.0/24
>     Conn1[2464]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2460]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2457]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2455]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>   OtherConnection[2454]: ESTABLISHED 6 hours ago,
> 31.3.111.111[31.3.111.111]...90.145.222.222[90.145.222.222]
>   OtherConnection{5459235}:  INSTALLED, TUNNEL, reqid 634, ESP SPIs:
> c38asdff_i c919asdf_o
>   OtherConnection{5459235}:   10.33.3.0/24 === 100.222.222.0/21
>     Conn1[2451]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2447]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2440]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2439]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2437]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2434]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2432]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2430]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2429]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2426]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2425]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2422]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2421]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2418]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2412]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2411]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>     Conn1[2409]: CONNECTING,
> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
> ============================
>
> --
> Met vriendelijke groet,
> Ben

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201118/f1ce3189/attachment.html>


More information about the Users mailing list