duplicate tunnels



  • We have some VTI Tunnels connecting multiple sites (both using pfsense). Occasionally all the gateways at a site turn red and the only solution we have found to fix the problem is to reboot the pfsense box. We've seen this problem on multiple pfsense units. We see this happen about once every 1-2 months. It's really strange.

    Any help tracking down a solution would be very helpful. Thanks.

    Things we've tried without success:

    • Restarting ipsec service
    • Stopping ipsec service and then starting it
    • Disconnect/reconnect tunnels
    • Restart dpinger

    When the issue occurs, the output of ipsec status with some public IPs manually obfuscated...

    Shunted Connections:
       bypasslan:  192.168.95.0/24|/0 === 192.168.95.0/24|/0 PASS
    Routed Connections:
         con2000{10718}:  ROUTED, TUNNEL, reqid 1
         con2000{10718}:   192.168.95.0/24|/0 === 192.168.85.0/24|/0
    Security Associations (5 up, 0 connecting):
         con1000[499]: ESTABLISHED 86 minutes ago, x.104.231.x[x.104.231.X]...G.164.217.G[G.164.217.G]
         con1000{10556}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: c222fade_i c396d4a5_o
         con1000{10556}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{10568}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: c64331d7_i cb16d7c8_o
         con1000{10568}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{10594}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: cf7f13c1_i c168e112_o
         con1000{10594}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{10659}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: c7787929_i c11d793f_o
         con1000{10659}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{10678}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: c6747a4c_i c047ea49_o
         con1000{10678}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{10710}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: c53ebb13_i c8947b1b_o
         con1000{10710}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{10717}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: ccccbe00_i c4456678_o
         con1000{10717}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{10723}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: cf110a55_i cb57872c_o
         con1000{10723}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con2000[495]: ESTABLISHED 3 hours ago, x.104.231.x[x.104.231.x]...D.15.15.D[D.15.15.D]
         con2000{10611}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2e78f08_i e04795d7_o
         con2000{10611}:   192.168.95.0/24|/0 === 192.168.85.0/24|/0
         con3000[494]: ESTABLISHED 5 hours ago, x.104.231.x[x.104.231.x]...C.153.236.C[C.153.236.C]
         con3000{10565}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c6ea2c2b_i cfe4eb5d_o
         con3000{10565}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10566}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c58d5e6c_i ca046a39_o
         con3000{10566}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10567}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c39c5e2b_i c7abb609_o
         con3000{10567}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10580}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c7883d94_i ce5916e0_o
         con3000{10580}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10581}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c32092f6_i c1a92036_o
         con3000{10581}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10587}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: cbb89c52_i c89ff886_o
         con3000{10587}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10588}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: ccfb4594_i c9aeebe0_o
         con3000{10588}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10595}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: cb4e7d9b_i c8da1367_o
         con3000{10595}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{10687}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c6ea36aa_i c4d4792c_o
         con3000{10687}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000[498]: ESTABLISHED 95 minutes ago, x.104.231.x[x.104.231.x]...Z.164.138.Z[Z.164.138.Z]
         con4000{10617}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c836f1db_i ca5dac5b_o
         con4000{10617}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10618}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c1ec46f8_i ca8d923a_o
         con4000{10618}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10619}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: ce389823_i cd1788cf_o
         con4000{10619}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10620}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c0633931_i c01f5207_o
         con4000{10620}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10621}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: ca39820b_i cced1c7b_o
         con4000{10621}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10622}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c540e722_i ca072fac_o
         con4000{10622}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10623}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: caba46e7_i c5cd5fd7_o
         con4000{10623}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10624}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c0623f1f_i c29e7f40_o
         con4000{10624}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10625}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c6f62dbe_i c004902b_o
         con4000{10625}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10626}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: ce577c4d_i c5356e69_o
         con4000{10626}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10627}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cc728c52_i c6473d5c_o
         con4000{10627}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10628}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c59136c8_i cc3c58f8_o
         con4000{10628}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10629}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c1d3838b_i c42d5b10_o
         con4000{10629}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10630}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c18588f8_i cbf19ccf_o
         con4000{10630}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10631}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c7580478_i c5f73240_o
         con4000{10631}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10632}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c02a4ddd_i cafe879a_o
         con4000{10632}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10633}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c9eef95f_i cf29dbd6_o
         con4000{10633}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10634}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c3df0fc7_i cb8b7874_o
         con4000{10634}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10635}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cca8fdc2_i c2718543_o
         con4000{10635}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10636}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c86d7408_i cea4e79e_o
         con4000{10636}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10637}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cdb3fd4e_i c2e76b95_o
         con4000{10637}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10638}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cf688ade_i cb72873e_o
         con4000{10638}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10639}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c5cffc48_i cdd25a49_o
         con4000{10639}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10640}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c1b8beda_i c757162d_o
         con4000{10640}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10641}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cd16ca53_i c0f1d6b8_o
         con4000{10641}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10642}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c2b68a48_i c4b54bb2_o
         con4000{10642}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10643}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cc3a4dd0_i ccf3b59c_o
         con4000{10643}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10644}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c1595aa3_i cfbd9db9_o
         con4000{10644}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10645}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c6a9b6b5_i c3f774a6_o
         con4000{10645}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10646}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c7b7b1c8_i c52a30fb_o
         con4000{10646}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10647}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cedf09d4_i c8f0c65d_o
         con4000{10647}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10648}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: ca699d81_i c4b9c9ae_o
         con4000{10648}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10649}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c8980619_i c91311d5_o
         con4000{10649}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10650}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c47af969_i c4ff0b4e_o
         con4000{10650}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10651}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c2f84273_i c61be7bd_o
         con4000{10651}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10657}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cc14c782_i c60266fb_o
         con4000{10657}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10658}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c59d2198_i c841b17d_o
         con4000{10658}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10660}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cd810da8_i cc4f964f_o
         con4000{10660}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10661}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cc52cafb_i cf322b76_o
         con4000{10661}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10662}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cc3432a5_i c6cc5caa_o
         con4000{10662}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10663}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c6128742_i c07081e9_o
         con4000{10663}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10664}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c406ad19_i c52cc6e8_o
         con4000{10664}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10665}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cb9fc7f6_i cd52ee5d_o
         con4000{10665}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10666}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cecf9e58_i cd2f125e_o
         con4000{10666}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10667}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cd938d1f_i c38590d6_o
         con4000{10667}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10668}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c817c6b9_i cbbe6c97_o
         con4000{10668}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10669}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c9503e84_i c92c182a_o
         con4000{10669}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10670}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cad1c0d4_i c99e4f3f_o
         con4000{10670}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10676}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c7c42f81_i c20c9c42_o
         con4000{10676}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10677}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c8a7ef6f_i caeccf15_o
         con4000{10677}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10679}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: ce2f1f0c_i c5e55c36_o
         con4000{10679}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10680}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c6af35db_i c8a0fa5c_o
         con4000{10680}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10684}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c5f6f09f_i c652c576_o
         con4000{10684}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10688}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c3ad5c85_i c6b3d106_o
         con4000{10688}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10689}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cafe24b0_i c2f5dc8c_o
         con4000{10689}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10690}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c921d6ca_i cb9c9917_o
         con4000{10690}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10696}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c9ace03f_i ce4839ae_o
         con4000{10696}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10697}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c08c7b9b_i c51d8499_o
         con4000{10697}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10708}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c60e34ff_i cf89bf19_o
         con4000{10708}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{10709}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c3e4fffb_i c3700c50_o
         con4000{10709}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con5000[496]: ESTABLISHED 2 hours ago, x.104.231.130[x.104.231.x]...Y.160.177.Y[Y.160.177.Y]
         con5000{10574}:  INSTALLED, TUNNEL, reqid 5000, ESP SPIs: c59574ea_i c6828bcf_o
         con5000{10574}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con5000{10711}:  INSTALLED, TUNNEL, reqid 5000, ESP SPIs: c44a097f_i c9117ff4_o
         con5000{10711}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
    
    	 
    

  • Rebel Alliance Developer Netgate

    How is the memory usage on the box when that happens?

    I have not personally witnessed it happening, or seen concrete evidence conclusively proving it, but there have been reports of a possible memory leak with VTI IPsec, which could lead to long-term instability.

    Check the various graphs under Status > Monitoring and see if you notice any trends around when it starts to fail.

    If there is a memory leak, the best chance of a fix would be upgrading to 2.4.5 which has a newer base OS and newer version of strongSwan, which may address the issues.



  • @jimp Thank you for the response. I checked memory usage on a few suspect units and there is no indication of leaks or out of memory problems. I checked our internal monitoring data as well as the internal pfsense metrics.



  • Here is ipsec status from a working unit... It has duplicates as well? When the system reboots, there is only one line of "INSTALLED TUNNEL reqid..." for each tunnel. It seems after some time this increases.

    Shunted Connections:
       bypasslan:  192.168.78.0/24|/0 === 192.168.78.0/24|/0 PASS
    Routed Connections:
         con2000{51918}:  ROUTED, TUNNEL, reqid 1
         con2000{51918}:   192.168.78.0/24|/0 === 192.168.85.0/24|/0
    Security Associations (4 up, 0 connecting):
         con2000[3493]: ESTABLISHED 48 minutes ago, ................
         con2000{51942}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c30b15a1_i 6207c776_o
         con2000{51942}:   192.168.78.0/24|/0 === 192.168.85.0/24|/0
         con3000[3494]: ESTABLISHED 38 minutes ago, ................
         con3000{52015}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: ce4c4b7c_i c9217462_o
         con3000{52015}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{52016}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c31e2701_i c687cfa0_o
         con3000{52016}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{52017}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c11e1f94_i c8b28b8b_o
         con3000{52017}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{52018}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c67ad91e_i cfeb105a_o
         con3000{52018}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{52019}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c4cc2213_i cf4cc947_o
         con3000{52019}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con3000{52020}:  INSTALLED, TUNNEL, reqid 3000, ESP SPIs: c17520df_i c60eb366_o
         con3000{52020}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000[3446]: ESTABLISHED 6 hours ago, ................
         con4000{52021}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: cb4d7066_i c6c82d4e_o
         con4000{52021}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{52022}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c8c67ffb_i c2cd2e85_o
         con4000{52022}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{52023}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c13cbd37_i c2ba03a7_o
         con4000{52023}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con4000{52024}:  INSTALLED, TUNNEL, reqid 4000, ESP SPIs: c9f6e3a4_i c7fe0183_o
         con4000{52024}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000[3483]: ESTABLISHED 2 hours ago, ................
         con1000{52012}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: c1a1d77f_i c5f5853d_o
         con1000{52012}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
         con1000{52014}:  INSTALLED, TUNNEL, reqid 1000, ESP SPIs: c227433f_i cd235aeb_o
         con1000{52014}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
    
    

  • Rebel Alliance Developer Netgate

    Not sure what might be causing that, but I'm not seeing duplicates like that on my systems here. Though they get rebooted frequently when testing / updating snapshots.

    There is a chance that's a bug or quirk in strongSwan that will be better in 2.4.5, though it's almost certainly going to be improved on 2.5.0 where we have converted over to the new swanctl/VICI configuration format ( https://redmine.pfsense.org/issues/9603 ). There are a number of similar problems that we have confirmed have been solved by doing that.

    If you have a test system / lab setup you might consider spinning up a tunnel to a test system running 2.4.5 and/or 2.5.0 and see if you observe the same problems there.



  • @jimp

    Official response from the Strongswan developer

    That's a known problem if you combine break-before-make reauthentication with trap policies. There is a short time after the old SA has been terminated and while the new one is established during which no SA is installed inthe kernel. But since the trap policies are still installed, new acquires might get triggered by the kernel if there occurs to be matching traffic at that time, which will create an additional CHILD_SA (which in turn gets recreated during the next reauthentication). To avoid that, either use make-before-break reauthentication (creates the new IKE and CHILD_SAs overlapping) or just use IKE_SA rekeying to replace the keying material without any interruption at all.

    https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey


  • Rebel Alliance Developer Netgate

    VTI doesn't use trap policies though. It can't, since it's routed there are no policies to trap.



  • I started monitoring the number of duplicate tunnels to see if anything pops out. This is strange.

    This shows 3 firewalls. Each line shows the value of the most duplicates for any one VPN tunnel on that firewall host. We did some reboots and it seems like around 50 the VPNs all go down and the host is rebooted and they drop down to reasonable values again.

    03204ed7-e8d9-434d-b7f7-9621d90d9885-image.png


  • Rebel Alliance Developer Netgate

    I did manage to find one pair of peers which could reproduce the problem here but it's very inconsistent. An identical set of tunnels on another pair doesn't do it. I haven't managed to catch anything noteworthy in the logs either, from all appearances one side or the other just thinks it needs a new child SA and initiates it, and then keeps it around indefinitely even though it isn't being used.

    Having a mobile P1 setup on one end seemed to make it worse, but that again may just be a coincidence.

    I tried setting the P2 close action on one side to close/clear and the other to restart/reconnect, but it didn't matter which way that was set in either direction, it still happened.

    One thing I haven't tried yet is to set one side as responder only, and then also in combination with the close action setup (in one direction or the other).



  • I'm going to have to google some of the things you talked about.

    I set reauth = no and rekey = no. Its been about 2 days and do far so good no reboots needed and no duplicate tunnels creeping up.


Log in to reply