Re: [Swan] Retransmit interval

Sun, 18 Jun 2017 08:03:06 -0700 

On Fri, 16 Jun 2017, Bob Cribbs wrote:


I am in the process of upgrading from libreswan 3.12 to libreswan 3.20 and I'm 
noticing some weird behaviour on tunnels retransmit interval.

If the tunnel is not connecting, it retransmits a few times per second, and 
flooding my /var/auth.log file and banging on our customer's firewall.


This change of behaviour should only happen when you have auto=start
Previously, when the remote send a DELETE, we would end up in auto=add
state, waiting on them to initiate. Now, since the conn is configured
with auto=start, we try again.


000 #42: "customer":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_v1_RETRANSMIT in 0s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #41: "customer":4500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 3052s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate


So I guess the IKE SA comes up, but there is an IPsec SA configuration
mismatch?


000 "customer":   retransmit-interval: 500ms; retransmit-timeout: 60s;



000 #51: "customer":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_v1_RETRANSMIT in 0s; nodpd; idle; import:admin initiate


Although this shows there is no existinng IKE SA here.


Notice both of them have `EVENT_v1_RETRANSMIT in 0s`, sometimes it's at -1 too.


The initial timer is 500ms, then it doubles (1s, 2s, 4s until it hits
the timeout of 60s)


I would like to keep this tunnel configured as the customer works on updating 
their settings so they can test it's working, but the auth.log files ends up
in GB of space in a day and the customer is not happy with the firewall trouble.


So in your case, you could use auto=add, which means "load but not
initiate" or you can use auto=ondemand (same, but also try initiate
when there is outgoing traffic matching the tunnel)


I have other tunnels that are failing too, but their retransmit interval is 
incremental.


That's what I would expect, yes.


Is there a config Im missing to increase the time between retransmits in this 
scenario?
And what can I do to make it incremental?


There is retransmit-timeout= and retransmit-interval=. And also
keyingtries=. But I think auto=add would be best for you for now,
until the misconfiguration is resolved.

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to