[Swan] Retransmit interval

Paul Wouters paul at nohats.ca
Sun Jun 18 15:02:17 UTC 2017 

On Fri, 16 Jun 2017, Bob Cribbs wrote:

> I am in the process of upgrading from libreswan 3.12 to libreswan 3.20 and I'm noticing some weird behaviour on tunnels retransmit interval.
> 
> If the tunnel is not connecting, it retransmits a few times per second, and flooding my /var/auth.log file and banging on our customer's firewall.

This change of behaviour should only happen when you have auto=start
Previously, when the remote send a DELETE, we would end up in auto=add
state, waiting on them to initiate. Now, since the conn is configured
with auto=start, we try again.

> 000 #42: "customer":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 0s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #41: "customer":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3052s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin
> initiate

So I guess the IKE SA comes up, but there is an IPsec SA configuration
mismatch?

> 000 "customer":   retransmit-interval: 500ms; retransmit-timeout: 60s;

> 000 #51: "customer":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_v1_RETRANSMIT in 0s; nodpd; idle; import:admin initiate

Although this shows there is no existinng IKE SA here.

> Notice both of them have `EVENT_v1_RETRANSMIT in 0s`, sometimes it's at -1 too.

The initial timer is 500ms, then it doubles (1s, 2s, 4s until it hits
the timeout of 60s)

> I would like to keep this tunnel configured as the customer works on updating their settings so they can test it's working, but the auth.log files ends up
> in GB of space in a day and the customer is not happy with the firewall trouble.

So in your case, you could use auto=add, which means "load but not
initiate" or you can use auto=ondemand (same, but also try initiate
when there is outgoing traffic matching the tunnel)

> I have other tunnels that are failing too, but their retransmit interval is incremental.

That's what I would expect, yes.

> Is there a config Im missing to increase the time between retransmits in this scenario?
> And what can I do to make it incremental?

There is retransmit-timeout= and retransmit-interval=. And also
keyingtries=. But I think auto=add would be best for you for now,
until the misconfiguration is resolved.

Paul

More information about the Swan mailing list