I rely on strongSwan (currently 5.1.1 and using IKEv2) to interconnect
several data centres over the Internet and over private Layer 2 links.
However, on a weekly basis I'm faced with tunnel drops that require
manual intervention to bring up. This causes disruptions on our
applications and databases during the time it takes for an engineer to
be alerted and correct the problem.
Typically the drops fall into two categories:
1. Rekey collisions
2. Drops with no obvious cause
In order to fix type 1 issues, I've played with the rekeyfuzz setting.
The frequency of collisions has decreased, but still they occur.
I'm not familiar with charon's internals, but why does a rekey collision
causes a tunnel drop? Isn't it possible to implement a solution that
guarantees the tunnel doesn't drop in the event of a rekey collision?!
Could this lack of reliability be due to the old kernel in use? (2.6.18)
I'd be grateful if someone could shed some light on this topic since
this problem has become severe for me.
Tiago
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users