Hi Tobias, Thanks for the reply and suggestion.
I have changed the tunnel config as below conn %default ikelifetime=20m keylife=10m rekeymargin=3m But still the problem persists. I can still see lot of redundant SAs when issued "ipsec statusall". On my environment there is no support for kernel-netlink interface for IPsec, I have to use kernel-pfkey interface only as I have my hooks registered in PFKEY to XFRM for IPsec. I have tried latest versions of strongswan (4.5.1 and 4.5.3) both resulted in kernel panic after running for a while. I think there is not much support for kernel-pfkey plugin in latest strtongswan versions, and since latest versions require kernel-netlink plugin to function properly migrating to newer versions might be not helpful in my case. Kindly suggest me what can be the solution for this issue. Thanks, Anand ----- Original Message ----- From: Tobias Brunner <tob...@strongswan.org> To: anand rao <anandrao...@yahoo.co.in> Cc: "users@lists.strongswan.org" <users@lists.strongswan.org> Sent: Monday, March 19, 2012 9:17 PM Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs Hi Anand, > conn %default > ikelifetime=10m > keylife=5m > rekeymargin=3m Not sure what exactly the problem is but I suspect it might be related to the times you configured above (at least partially). Please have a look at the wiki page documenting how rekey times are calculated [1]. As you can see, the values 5m for keylife (lifetime) and 3m for rekeymargin (margintime) are problematic - it could even disable rekeying (rekeytime = 5m - random(3m..6m)). Please increase lifetime and see if that fixes the problem (also, updating to a more recent release wouldn't hurt). Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users