[Swan-dev] IKEv2 rekey initiator failures
Paul Wouters
paul at nohats.ca
Wed Apr 8 19:28:42 UTC 2020
On Wed, 8 Apr 2020, Antony Antony wrote:
> I noticed sometimes a several rekeys would get queued up. And delete would
> stay in the queue for longer. I think it is best to prioritize v2D ahead
> CREATE_CHILD_SA. Also can't think of any side effect of pritorizing v2D.
Why do you think that is best to prioritize ?
Deletes are kind of optional. SA's die by themselves, and lingering an
SA is not very harmful.
On the other hand, a CREATE_CHILD_SA could be triggered by an on-demand
new tunnel, and in that case it would be nice to do these as soon as
possible since a packet is waiting on the tunnel to establish.
There might be different reasons depending on whether there is a
relationship between the delete and the create_child_sa. If they are
connected it might make sense to do it differently from the case I
mentioned above.
>> Apr 6 13:58:50.367487: | ikev2_child_sa_respond returned
>> STF_INTERNAL_ERROR
>>
>> Any ideas on what triggered the internal error?
>
> I know one step further. the line shown bellow "EVENT_SA_EXPIRE, timeout in
> 0 seconds" is the cause. However, I don't why pluto schedule this
> EVENT_SA_EXPIRE.
>
> Did you look a the log?
I will look into STF_INTERNAL_ERROR's. All of them should have a
loglog() error line. It should never be returned without an erorr
message.
Thanks for looking into this,
Paul
More information about the Swan-dev
mailing list