Hi, I'm running strongswan 5.1.1 in site-site configuration using NAT-T between
2 VMs where both hosts have been created from the same image. Both sites also
have time synced using NTP.
Generally its working fine (although getting 5% packet loss when pinging) but
periodically (daily) one or more tunnels seem to stop working. After some
investigation, it seemed that these coincide with a rekey collision where both
sides create a rekey jobs at (to the nearest second) the same time. When this
happens I dont see any specific errors in the logs.
The relevant config parameters are
ikelifetime=3h
keylife=1h
rekeymargin=9m
keyingtries=%forever
rekeyfuzz=100%???
reauth=no
So I have a few questions
1. Why do we keep seeing the collisions, surely the rekeyfuzz would make this
pretty unlikely or does the way the host were built and/or time sync affect the
randomness of rekeyfuzz?
2. When we get a collision why dont we see an error and why doesnt it retry
given the keyingtries parameter?
3. Is it recommended that only one side should do rekeying (i.e. set rekey=no
on the other)?
?
Regards
Steve Lee
Steve Lee
Senior Architect
Phone: +44 (0)7474 647674
www.zynstra.com<http://www.zynstra.com/>
Zynstra is a private limited company registered in England and Wales
(registered number 07864369). Our registered office is 5 New Street Square,
London, EC4A 3TW and our headquarters are at Bath Ventures, Broad Quay, Bath,
BA1 1UD.
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
