[strongSwan] Keeps building connections (2 up, 670 connecting)

strongswan.org at it-beheer.eu strongswan.org at it-beheer.eu
Fri Nov 20 18:32:09 CET 2020


Hi Volodymyr,

For some reason the other end didn't accept all packages and got some 
close action in return. Change the closeaction=none and now it all seems 
fine. Will check for some more time but think all is ok again.
Thanks for pointing me in the right page and direction.

Met vriendelijke groet,
Ben

On 18-11-2020 13:02, Volodymyr Litovka wrote:
>
> Hi Ben,
>
> it makes sense to see into logs. Configure them using 
> charon-logging.conf or charon-systemd.conf according to 
> https://wiki.strongswan.org/projects/strongswan/wiki/Loggerconfiguration, 
> set higher levels for ike, cfg, chd, net sections and then reload 
> using 'systemctl reload strongswan'. With very high probability, 
> you'll find the issue in the logs.
>
> Thank you.
>
> On 18.11.2020 12:46, strongswan.org at it-beheer.eu wrote:
>>
>> Good morning all,
>>
>> I have a Ubuntu server 20.04 with two Strongswan connections. One is 
>> fine and up all the time. The second is a copy of the first config 
>> with other IP addresses and an other secret and is all the time 
>> connecting even it has already established one connection working. 
>> Found one person that had something similar witch had something to do 
>> with set dpdaction and closeaction but after a few tries didn't get 
>> result and bringing down the connection all the time gave to much 
>> interruptions for the client. So basically i have a working 
>> connection and only get interruptions when it is being reestablished.
>>
>> Hope someone can tell me what i am doing wrong or if this is a 
>> problem at the other end or can me give me some pointers to debugging.
>>
>> ===== Conn1 ====
>> conn Conn1
>>  left=31.3.111.111
>>  right=77.94.111.111
>>  leftsubnet=10.33.3.0/24
>>  rightsubnet=172.31.1.0/24
>>  ike=aes256-sha1-modp1024
>>  keyexchange=ikev2
>>  reauth=no
>>  ikelifetime=86400s
>>  compress=no
>>  authby=secret
>>  esp=aes256-sha1-modp1024
>>  type=tunnel
>>  auto=start
>>  keyingtries=%forever
>>  dpdaction=restart
>>  closeaction=restart
>>
>>
>> ===== ipsec.secrects =====
>> # This file holds shared secrets or RSA private keys for authentication.
>>
>> # RSA private key for this host, authenticating it to any other host
>> # which knows the public part.
>>
>> %any 77.94.111.111 : PSK "<sec1>"
>> %any 90.145.222.222 : PSK "<sec2>"
>>
>>
>> Output from /sudo ipsec status
>> =========================/
>>
>> Security Associations (2 up, 670 connecting):
>>     Conn1[2466]: ESTABLISHED 16 minutes ago, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1{5461231}:  INSTALLED, TUNNEL, reqid 637, ESP SPIs: 
>> c1f5asdf_i 725asdf_o
>>     Conn1{5461231}:   10.33.3.0/24 === 172.31.1.0/24
>>     Conn1[2464]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2460]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2457]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2455]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>   OtherConnection[2454]: ESTABLISHED 6 hours ago, 
>> 31.3.111.111[31.3.111.111]...90.145.222.222[90.145.222.222]
>>   OtherConnection{5459235}:  INSTALLED, TUNNEL, reqid 634, ESP SPIs: 
>> c38asdff_i c919asdf_o
>>   OtherConnection{5459235}:   10.33.3.0/24 === 100.222.222.0/21
>>     Conn1[2451]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2447]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2440]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2439]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2437]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2434]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2432]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2430]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2429]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2426]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2425]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2422]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2421]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2418]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2412]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2411]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>>     Conn1[2409]: CONNECTING, 
>> 31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]
>> ============================
>>
>> --
>> Met vriendelijke groet,
>> Ben
> --
> Volodymyr Litovka
>    "Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201120/6186a7dd/attachment.html>


More information about the Users mailing list