Re: [strongSwan] Problems with Charon

Tue, 01 Sep 2009 21:22:43 -0700 

Hi,

are you running strongSwan on CentOS or RedHat? There is an issue with
these Linux kernels where IPsec policies get deleted when they are
queried e.g. by ipsec statusall or DPD. I think this kernel bug was
fixed recently by RedHat.

Best regards

Andreas

ServerAlex wrote:
> I've got a host-to-host connection that should be kept alive 24/7.
> 
> machine 1:
> config setup
>         plutostart=no           # IKEv1
>         charonstart=yes         # IKEv2
>         nat_traversal=no
> 
> # Add connections here.
> 
> # Sample VPN connections
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=%forever
>         keyexchange=ikev2
>         dpdaction=hold
>         mobike=no
> 
> conn server1
>         left=XX.X.XX.XX
>         leftcert=server1-cert.pem
>         left...@server1.xxx.com
>         right=YY.YY.YY.YY
>         right...@server2.xxx.com
>         auto=start
> 
> server2:
> config setup
>         plutostart=no           # IKEv1
>         charonstart=yes         # IKEv2
>         nat_traversal=no
> 
> # Add connections here.
> 
> # Sample VPN connections
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=%forever
>         keyexchange=ikev2
>         dpdaction=clear
>         mobike=no
> 
> conn server12
>         left=YY.YY.YY.YY
>         leftcert=server2-cert.pem
>         left...@server2.xxx.com
>         right=XX.XX.XX.XX
>         right...@server1.xxx.com
>         auto=add
> 
> 
> when i start ipsec on both sides it works for a few minutes, then it
> just doesnt any longer, although the SAs are still alive.
> server2[2]: ESTABLISHED 11 minutes ago,
> XX.XX.XX.XX[server1.XXX.com]...YY.YY.YY.YY[server2.XXX.com]
> server2{2}:  INSTALLED, TUNNEL, ESP SPIs: cb043689_i c4ecff51_o
> server2{2}:   XX.XX.XX.XX/32 === YY.YY.YY.YY/32
> 
> But no traffic flow can be established. Logs gives me errors like these:
> Sep  2 02:44:30 server1 charon: 11[KNL] querying policy failed: No
> such file or directory (2)
> 
> I have to restart the whole daemon on server1 to get the traffic
> flowing again.. for a few minutes.
> 
> Any ideas?

======================================================================
Andreas Steffen                         andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to