Hello all,
A little background. I am still trying to get a robust
solution for restarting IPsec connections. I asked this
a while ago:
https://lists.strongswan.org/pipermail/users/2009-January/003058.html
Martin helped out by pointing out the keyingtries=%forever
configuration parameter. This works much better, and in theory should
solve my problems.
Reality is a little harsher. What I am currently seeing is that
most of the time things work properly, but I am still running into
situations where lost connections do not recover. I have been working
on debugging this and it appears I am hitting some sort of hang or
deadlock in charon/kernel.
Most of the time my connections restart fine, but sometimes charon
decides it doesn't want to send out IKE_SA_INIT requests any more
after a dpd timeout.
My ipsec.conf looks like:
conn host-host-1
ike=aes256-sha2_256-modp1536,aes256-sha1-modp1536,aes128-sha2_256-modp1536,aes128-sha1-modp1536,3des-sha2_256-modp1536,3des-sha1-modp1536
esp=aes256-sha2_256-modp1536,aes256-sha1-modp1536,aes128-sha2_256-modp1536,aes128-sha1-modp1536,3des-sha2_256-modp1536,3des-sha1-modp1536
mobike=no
pfs=yes
pfsgroup=modp1536
leftupdown=/usr/lib/ipsec/my_updown
keyingtries=%forever
dpdaction=restart
dpddelay=60
left=192.168.1.1
right=192.168.1.2
auto=start
authby=secret
keyexchange=ikev2
conn net-net-1-2-2
leftsubnet=10.201.0.0/16
rightsubnet=192.167.1.0/24
also=host-host-1
conn net-net-1-2-1
leftsubnet=10.201.0.0/16
rightsubnet=192.168.2.0/24
also=host-host-1
conn net-host-1-2
leftsubnet=10.201.0.0/16
also=host-host-1
conn host-net-1-2
rightsubnet=192.167.1.0/24
also=host-host-1
conn host-net-1-1
rightsubnet=192.168.2.0/24
also=host-host-1
Here is an example output:
<computers start out connected>
# ipsec start --nofork
Starting strongSwan 4.3.4 IPsec [starter]...
01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4)
01[NET] unable to create raw socket: Address family not supported by protocol
01[NET] could not open IPv6 receive socket, IPv6 disabled
01[KNL] listening on interfaces:
01[KNL] eth0
01[KNL] 192.168.1.1
01[KNL] eth1
01[KNL] 10.201.98.1
01[KNL] eth2
01[KNL] 10.203.42.1
01[KNL] sl0
01[KNL] 192.166.1.1
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG] loaded IKE secret for 192.168.1.1 192.168.1.2
01[DMN] loaded plugins: curl aes des sha1 sha2 md5 fips-prf random
x509 pubkey xcbc hmac gmp kernel-
netlink stroke updown attr resolv-conf
01[JOB] spawning 16 worker threads
charon (25611) started after 40 ms
05[CFG] received stroke: add connection 'host-host-1'
05[CFG] added configuration 'host-host-1'
05[CFG] received stroke: initiate 'host-host-1'
05[IKE] initiating IKE_SA host-host-1[1] to 192.168.1.2
05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
09[CFG] received stroke: add connection 'net-net-1-2-2'
09[CFG] added child to existing configuration 'host-host-1'
09[CFG] received stroke: initiate 'net-net-1-2-2'
09[CFG] received stroke: add connection 'net-net-1-2-1'
09[CFG] added child to existing configuration 'host-host-1'
10[CFG] received stroke: initiate 'net-net-1-2-1'
11[CFG] received stroke: add connection 'net-host-1-2'
11[CFG] added child to existing configuration 'host-host-1'
11[CFG] received stroke: initiate 'net-host-1-2'
11[CFG] received stroke: add connection 'host-net-1-2'
11[CFG] added child to existing configuration 'host-host-1'
17[CFG] received stroke: initiate 'host-net-1-2'
08[CFG] received stroke: add connection 'host-net-1-1'
08[CFG] added child to existing configuration 'host-host-1'
15[CFG] received stroke: initiate 'host-net-1-1'
10[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
10[IKE] authentication of '192.168.1.1' (myself) with pre-shared key
10[IKE] establishing CHILD_SA host-host-1
10[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ]
10[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
09[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
09[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
09[IKE] authentication of '192.168.1.2' with pre-shared key successful
09[IKE] scheduling reauthentication in 9854s
09[IKE] maximum IKE_SA lifetime 10394s
09[IKE] IKE_SA host-host-1[1] established between
192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2
]
09[IKE] CHILD_SA host-host-1{1} established with SPIs ce767b0c_i
ca796555_o and TS 192.168.1.1/32 ==
= 192.168.1.2/32
09[IKE] received AUTH_LIFETIME of 9754s, scheduling reauthentication in 9214s
09[IKE] establishing CHILD_SA net-net-1-2-2
09[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
09[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
13[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
13[CHD] updown: ipsec_connections_established
13[CHD] updown: -------------------------------
13[CHD] updown:
13[CHD] updown: (1 row)
13[CHD] updown:
13[IKE] CHILD_SA net-net-1-2-2{2} established with SPIs c27d8607_i
c715f302_o and TS 10.201.98.0/24
=== 192.167.1.0/24
13[IKE] establishing CHILD_SA net-net-1-2-1
13[ENC] generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
14[ENC] parsed CREATE_CHILD_SA response 3 [ SA No KE TSi TSr ]
14[CHD] updown: ipsec_connections_established
14[CHD] updown: -------------------------------
14[CHD] updown:
14[CHD] updown: (1 row)
14[CHD] updown:
14[IKE] CHILD_SA net-net-1-2-1{3} established with SPIs cbebcf7a_i
ce01b2fd_o and TS 10.201.98.0/24
=== 192.168.2.0/24
14[IKE] establishing CHILD_SA net-host-1-2
14[ENC] generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
11[ENC] parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
11[IKE] CHILD_SA net-host-1-2{4} established with SPIs c060bfae_i
c90dade3_o and TS 10.201.98.0/24 =
== 192.168.1.2/32
11[IKE] establishing CHILD_SA host-net-1-2
11[ENC] generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
16[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
16[ENC] parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
16[IKE] CHILD_SA host-net-1-2{5} established with SPIs ca2736f8_i
c1187e96_o and TS 192.168.1.1/32 =
== 192.167.1.0/24
16[IKE] establishing CHILD_SA host-net-1-1
16[ENC] generating CREATE_CHILD_SA request 6 [ SA No KE TSi TSr ]
16[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
12[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
12[ENC] parsed CREATE_CHILD_SA response 6 [ SA No KE TSi TSr ]
12[IKE] CHILD_SA host-net-1-1{6} established with SPIs ccf77e0a_i
c253e9a3_o and TS 192.168.1.1/32 =
== 192.168.2.0/24
<disconnect remote computer>
09[IKE] sending DPD request
09[ENC] generating INFORMATIONAL request 7 [ ]
09[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 1 of request with message ID 7
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
09[IKE] retransmit 2 of request with message ID 7
09[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] retransmit 3 of request with message ID 7
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
10[IKE] retransmit 4 of request with message ID 7
10[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
09[IKE] retransmit 5 of request with message ID 7
09[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[IKE] giving up after 5 retransmits
11[IKE] restarting CHILD_SA host-host-1
11[IKE] initiating IKE_SA host-host-1[2] to 192.168.1.2
11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[IKE] restarting CHILD_SA net-net-1-2-2
11[IKE] restarting CHILD_SA net-net-1-2-1
11[IKE] restarting CHILD_SA net-host-1-2
11[IKE] restarting CHILD_SA host-net-1-2
11[IKE] restarting CHILD_SA host-net-1-1
11[CHD] updown: ipsec_connections_destroyed
11[CHD] updown: -----------------------------
11[CHD] updown:
11[CHD] updown: (1 row)
11[CHD] updown:
11[CHD] updown: ipsec_connections_destroyed
11[CHD] updown: -----------------------------
11[CHD] updown:
11[CHD] updown: (1 row)
11[CHD] updown:
12[IKE] retransmit 1 of request with message ID 0
12[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[IKE] retransmit 2 of request with message ID 0
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[IKE] retransmit 3 of request with message ID 0
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] retransmit 4 of request with message ID 0
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
08[IKE] retransmit 5 of request with message ID 0
08[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
12[IKE] giving up after 5 retransmits
12[IKE] peer not responding, trying again (2/0)
12[IKE] initiating IKE_SA host-host-1[2] to 192.168.1.2
12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
12[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[IKE] retransmit 1 of request with message ID 0
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
12[IKE] retransmit 2 of request with message ID 0
12[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 3 of request with message ID 0
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
<reconnect remote computer>
12[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
12[IKE] authentication of '192.168.1.1' (myself) with pre-shared key
12[IKE] establishing CHILD_SA host-host-1
12[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ]
12[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
08[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
08[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
08[IKE] authentication of '192.168.1.2' with pre-shared key successful
08[IKE] scheduling reauthentication in 9876s
08[IKE] maximum IKE_SA lifetime 10416s
08[IKE] IKE_SA host-host-1[2] established between
192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2
]
08[IKE] CHILD_SA host-host-1{7} established with SPIs c916cc08_i
c4399951_o and TS 192.168.1.1/32 ==
= 192.168.1.2/32
08[IKE] received AUTH_LIFETIME of 9940s, scheduling reauthentication in 9400s
08[IKE] establishing CHILD_SA net-net-1-2-2
08[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
08[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
15[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
15[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
15[CHD] updown: ipsec_connections_established
15[CHD] updown: -------------------------------
15[CHD] updown:
15[CHD] updown: (1 row)
15[CHD] updown:
15[IKE] CHILD_SA net-net-1-2-2{8} established with SPIs cc0a764a_i
c75e2830_o and TS 10.201.98.0/24
=== 192.167.1.0/24
15[IKE] establishing CHILD_SA net-net-1-2-1
15[ENC] generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
15[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
13[ENC] parsed CREATE_CHILD_SA response 3 [ SA No KE TSi TSr ]
13[CHD] updown: ipsec_connections_established
13[CHD] updown: -------------------------------
13[CHD] updown:
13[CHD] updown: (1 row)
13[CHD] updown:
13[IKE] CHILD_SA net-net-1-2-1{9} established with SPIs c11fbe20_i
cee510e0_o and TS 10.201.98.0/24
=== 192.168.2.0/24
13[IKE] establishing CHILD_SA net-host-1-2
13[ENC] generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
09[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
09[ENC] parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
09[IKE] CHILD_SA net-host-1-2{10} established with SPIs c4fa77eb_i
c0f39dd8_o and TS 10.201.98.0/24
=== 192.168.1.2/32
09[IKE] establishing CHILD_SA host-net-1-2
09[ENC] generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
09[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
12[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
12[ENC] parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
12[IKE] CHILD_SA host-net-1-2{11} established with SPIs cb568f5b_i
c871cb07_o and TS 192.168.1.1/32
=== 192.167.1.0/24
12[IKE] establishing CHILD_SA host-net-1-1
12[ENC] generating CREATE_CHILD_SA request 6 [ SA No KE TSi TSr ]
12[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
10[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
10[ENC] parsed CREATE_CHILD_SA response 6 [ SA No KE TSi TSr ]
10[IKE] CHILD_SA host-net-1-1{12} established with SPIs c3080f07_i
c8d9a90d_o and TS 192.168.1.1/32
=== 192.168.2.0/24
<disconnect remote computer again>
16[IKE] sending DPD request
16[ENC] generating INFORMATIONAL request 7 [ ]
16[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
15[IKE] retransmit 1 of request with message ID 7
15[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
16[IKE] retransmit 2 of request with message ID 7
16[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] retransmit 3 of request with message ID 7
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
10[IKE] retransmit 4 of request with message ID 7
10[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
16[IKE] retransmit 5 of request with message ID 7
16[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] giving up after 5 retransmits
05[IKE] restarting CHILD_SA host-host-1
05[IKE] initiating IKE_SA host-host-1[3] to 192.168.1.2
05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] restarting CHILD_SA net-net-1-2-2
05[IKE] restarting CHILD_SA net-net-1-2-1
05[IKE] restarting CHILD_SA net-host-1-2
05[IKE] restarting CHILD_SA host-net-1-2
05[IKE] restarting CHILD_SA host-net-1-1
05[CHD] updown: ipsec_connections_destroyed
05[CHD] updown: -----------------------------
05[CHD] updown:
05[CHD] updown: (1 row)
05[CHD] updown:
05[CHD] updown: ipsec_connections_destroyed
05[CHD] updown: -----------------------------
05[CHD] updown:
05[CHD] updown: (1 row)
05[CHD] updown:
13[IKE] retransmit 1 of request with message ID 0
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 2 of request with message ID 0
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 3 of request with message ID 0
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] retransmit 4 of request with message ID 0
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
08[IKE] retransmit 5 of request with message ID 0
08[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] giving up after 5 retransmits
13[IKE] peer not responding, trying again (2/0)
13[IKE] initiating IKE_SA host-host-1[3] to 192.168.1.2
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 1 of request with message ID 0
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] retransmit 2 of request with message ID 0
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
15[IKE] retransmit 3 of request with message ID 0
15[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] retransmit 4 of request with message ID 0
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 5 of request with message ID 0
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] giving up after 5 retransmits
14[IKE] peer not responding, trying again (3/0)
14[IKE] initiating IKE_SA host-host-1[3] to 192.168.1.2
14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
15[IKE] retransmit 1 of request with message ID 0
15[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[IKE] retransmit 3 of request with message ID 0
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] retransmit 4 of request with message ID 0
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 5 of request with message ID 0
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
17[IKE] giving up after 5 retransmits
17[IKE] peer not responding, trying again (4/0)
17[IKE] initiating IKE_SA host-host-1[3] to 192.168.1.2
17[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
17[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
05[IKE] retransmit 1 of request with message ID 0
05[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
08[IKE] retransmit 3 of request with message ID 0
08[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] retransmit 4 of request with message ID 0
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
11[IKE] retransmit 5 of request with message ID 0
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] giving up after 5 retransmits
14[IKE] peer not responding, trying again (5/0)
14[IKE] initiating IKE_SA host-host-1[3] to 192.168.1.2
14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
08[IKE] retransmit 1 of request with message ID 0
08[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
17[IKE] retransmit 3 of request with message ID 0
17[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[IKE] retransmit 4 of request with message ID 0
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
08[IKE] retransmit 5 of request with message ID 0
08[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[IKE] giving up after 5 retransmits
13[IKE] peer not responding, trying again (6/0)
13[IKE] initiating IKE_SA host-host-1[3] to 192.168.1.2
13[IKE] giving up after 5 retries
<no more output for over 10 hours. Reconnect remote computer
but it doesn't matter. Nobody tries to talk to it :-(>
Why did charon stop trying? I figured it would loop indefinitely
trying to contact 192.168.1.2.
If I strace charon I get:
rt_sigtimedwait([HUP INT TERM],
If I strace charon and its children (-f) I get a loop repeating
output of:
[pid 25625] <... accept resumed> {sa_family=AF_FILE, path=@""}, [2]) = 13
[pid 25625] futex(0x1006a16c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x1006a168,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
[pid 25625] futex(0x1006a16c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x1006a168,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
[pid 25625] recv(13, <unfinished ...>
[pid 25623] <... futex resumed> ) = 0
[pid 25623] futex(0x1006a12c, FUTEX_WAKE_PRIVATE, 1) = 0
[pid 25623] accept(10, <unfinished ...>
[pid 25622] <... futex resumed> ) = 0
[pid 25622] futex(0x1006a12c, FUTEX_WAKE_PRIVATE, 1) = 0
[pid 25622] futex(0x1006a16c, FUTEX_WAIT_PRIVATE, 88915, NULL <unfinished ...>
[pid 25625] <... recv resumed> "\1\36", 2, MSG_PEEK) = 2
[pid 25625] recv(13,
"\1\36\0\0\0\0\0\7\0\0\0\1\0\0\1\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
286, 0) = 286
[pid 25625] fcntl64(13, F_GETFL) = 0x2 (flags O_RDWR)
[pid 25625] fstat64(0xd, 0x4f02f688) = 0
[pid 25625] mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x48023000
[pid 25625] _llseek(13, 0, 0x4f02f6f8, SEEK_CUR) = -1 ESPIPE (Illegal seek)
[pid 25625] write(13, "Security Associations:\n no matc"..., 34) = 34
[pid 25625] close(13) = 0
[pid 25625] munmap(0x48023000, 4096) = 0
[pid 25625] futex(0x1006a16c, FUTEX_WAIT_PRIVATE, 88916, NULL <unfinished ...>
[pid 25623] <... accept resumed> {sa_family=AF_FILE, path=@""}, [2]) = 14
[pid 25623] futex(0x1006a16c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x1006a168,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
[pid 25623] futex(0x1006a16c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x1006a168,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
[pid 25623] recv(14, <unfinished ...>
[pid 25621] <... futex resumed> ) = 0
[pid 25621] futex(0x1006a12c, FUTEX_WAKE_PRIVATE, 1) = 0
[pid 25621] accept(10, <unfinished ...>
[pid 25620] <... futex resumed> ) = 0
[pid 25620] futex(0x1006a12c, FUTEX_WAKE_PRIVATE, 1) = 0
[pid 25620] futex(0x1006a16c, FUTEX_WAIT_PRIVATE, 88919, NULL <unfinished ...>
[pid 25623] <... recv resumed> "\1\36", 2, MSG_PEEK) = 2
[pid 25623] recv(14,
"\1\36\0\0\0\0\0\7\0\0\0\1\0\0\1\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
286, 0) = 286
[pid 25623] fcntl64(14, F_GETFL) = 0x2 (flags O_RDWR)
[pid 25623] fstat64(0xe, 0x4e02f688) = 0
[pid 25623] mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x48023000
[pid 25623] _llseek(14, 0, 0x4e02f6f8, SEEK_CUR) = -1 ESPIPE (Illegal seek)
[pid 25623] write(14, "Security Associations:\n no matc"..., 34) = 34
[pid 25623] close(14) = 0
[pid 25623] munmap(0x48023000, 4096) = 0
[pid 25623] futex(0x1006a16c, FUTEX_WAIT_PRIVATE, 88920, NULL
I am running Linux mybox 2.6.29.3 #1 PREEMPT Tue Aug 25 02:11:35 UTC
2009 ppc GNU/Linux
Note the PPC part :-)
I am also seeing a possibly related bug where two ipsec status commands
hang. If I run ipsec status <parent_sa> and ipsec status <child_sa> at
the same time, I fairly often see the ipsec stroke commands hang for days
(until I kill them). Don't know if this is related.
Thanks,
Barry
P.S. Should this be a users list or dev list question?
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
