If you have the default of reauth=yes then the IKE SA must be completely shut down (and all child SAs) while IKE is restarted. This leads to a short period where no child SAs are able to carry traffic.
I suggest you try the same test with ikeliftime=10min (lifetime=30s) and verify this is the issue. If you use IKEv2 and reauth=no then you may avoid this problem. On Mon, 2012-09-17 at 17:23 -0300, Diego Woitasen wrote: > Hi, > I'm testing my Strongswan installation and I discover that I have > packet loss on rekeying. I set this values to reproduce the problem: > > ikelifetime=60s > lifetime=30s > rekeymargin=20s > rekeyfuzz=0% > > And every time a rekey appears in the log file, some packets are lost > (testing with ping -A -c 100 in a infinite loop). > > I'm using 4.5.2 from Squeeze Backports. > > I have three questions: > > 1- Is this normal? Shall I expect some packet loss during the rekey? > > 2- If not, what can I do to debug this? > > 3- Are there some code added to the latest version that can help on this > issue? > > Regards, > Diego > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
