Hi Anand,
conn toevm2-psk
...
auto=route
The problem is the combination of auto=route and reauth=yes (which is
the default). With reauth=yes the IKE_SA is not rekeyed but
reauthenticated. This means that the IKE_SA is first deleted and then
reestablished. During this (albeit
hangs after failing to delete Rekeyed IPsec SAs
Hi Anand,
conn toevm2-psk
...
auto=route
The problem is the combination of auto=route and reauth=yes (which is
the default). With reauth=yes the IKE_SA is not rekeyed but
reauthenticated. This means that the IKE_SA is first deleted
Cc: Tobias Brunner tob...@strongswan.org; users@lists.strongswan.org
users@lists.strongswan.org
Sent: Friday, March 23, 2012 7:16 PM
Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs
Hi Anand,
wrt RFC 4306 Page 22:
If the two ends have the same lifetime policies
-
From: Tobias Brunnertob...@strongswan.org
To: anand raoanandrao...@yahoo.co.in
Cc: users@lists.strongswan.orgusers@lists.strongswan.org
Sent: Tuesday, March 20, 2012 2:25 PM
Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec
SAs
Hi Anand,
On my environment
-
From: Tobias Brunner tob...@strongswan.org
To: anand rao anandrao...@yahoo.co.in
Cc: users@lists.strongswan.org users@lists.strongswan.org
Sent: Monday, March 19, 2012 9:17 PM
Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs
Hi Anand,
conn %default
Hi Anand,
On my environment there is no support for kernel-netlink interface
for IPsec,
I have to use kernel-pfkey interface only as I have my hooks
registered in PFKEY to XFRM for IPsec.
I have tried latest versions of strongswan (4.5.1 and 4.5.3) both
resulted in kernel panic after
PM
Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs
Hi Anand,
On my environment there is no support for kernel-netlink interface
for IPsec,
I have to use kernel-pfkey interface only as I have my hooks
registered in PFKEY to XFRM for IPsec.
I have tried
Hi,
I am using strongswan 4.3.6
I have configured two peers to establish tunnel in tunnel mode.
Here is configuration in ipsec.conf
config setup
strictcrlpolicy=no
crlcheckinterval=180
plutostart=yes
charonstart=yes
nat_traversal=yes
conn %default
ikelifetime=10m
Hi Anand,
conn %default
ikelifetime=10m
keylife=5m
rekeymargin=3m
Not sure what exactly the problem is but I suspect it might be related
to the times you configured above (at least partially).
Please have a look at the wiki page documenting how rekey times are
calculated [1].