New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression in strongSwan 5.9.4 causes N2N connections with one passive side to be reestablished every 10 seconds #823
Comments
My guess is that this is a side effect of 23e46ea. Since the host you consider to be a responder only may now initiate the reauthentication, instead of requesting the other peer to initiate it earlier, the So to fix this, configure reauth=no on the host you only want to act as responder (or on both to only use rekeying, which is way more stable anyway). |
Thanks for this hint. Sorry for replying late on this. I would prefer adding @mtremer: Do you have an opinion on this? |
IPFire does not configure I wouldn't generally want to disable re-authentication in IPFire. |
Apologies for my late reply on this.
So to fix this, configure _reauth=no_ on the host you only want to act as responder (or on both to only use rekeying, which is way more stable anyway).
I can confirm that this solves the flapping IPsec tunnel issue. In my scenario, however, it leads to initiators being unreachable if strongSwan on the responder is stopped (for example, during an update) and started again shortly afterwards. The initiators will then never try to establish the IPsec tunnel again. With `reauth=yes`, they do, so there is no manual interaction required for bringing the IPsec connections back up in such a case.
Of course, I could use a Cron job or something similar to work around this, but that is a "solution" I would like to avoid. :-)
|
|
Of course, this was it; I completely forgot about that one. Thank you for the hint. |
System (please complete the following information):
13.0-STABLE-HBSD
Describe the bug
The HBSD server establishes an N2N connection to the IPFire machine, which is configured to wait for incoming IPsec traffic, not to establish the connection on its own. As long as either the HBSD server or IPFire machine runs strongSwan 5.9.3 or lower, this works fine and stable.
After subsequent upgrades, both systems are running strongSwan 5.9.4 now, and the IPsec tunnel is not stable anymore. Instead, it gets reestablished every 10 seconds due to
uniqueids=yes
and duplicate IKE_SA detected:Setting
uniqueids=no
on one of those systems causes the IPsec connection to be stable again, but sometimes leaves IPsec with multiple SAs established for the same connection, which is unnecessary. Despite, this setup worked for years withuniqueids=yes
on both ends.Especially with regards to
in the 5.9.4's release announcement, it looks as if strongSwan 5.9.4 introduced a regression here, causing such IPsec connections to be mistakenly reestablished.
To Reproduce
Steps to reproduce the behavior:
on the system where
auto=start
is set.Expected behavior
The IPsec connection is established and running stable.
Logs/Backtraces
Similar to this sample. For some reason, the strongSwan instance on the system where
auto=add
is set tears down the IPsec connection after 10 seconds due do uniqueness policy. Settinguniqueids
tono
on that system mitigates the problem, but does not really solve it - see initial description.Additional context
See also: https://bugzilla.ipfire.org/show_bug.cgi?id=12725
Cc: @mtremer
The text was updated successfully, but these errors were encountered: