Strongswan complitelly crashes and restarts itself.
I believe I have discovered a serious bug where strongswan / ipsec daemon crashes, drops all the connections and restarts itself.
Here is little history... I am using strongswan for a server that accepts multiple connections from TP-Link R600VPN routers and everything works fine. However I was testing Linksys router model LRT214, and when that router attempts to make the connection to my linux server, after about 30 seconds of failed negotiations, the ipsec daemon crashes and restarts itself. Of course that drops all existing ipsec tunnels. I have tested this scenario on 2 different linux machines, one with linux kernel 3.16.82 and the other with linux kernel 4.4.14 and got the same results.
I have included the log file, ipsec.conf and ipsec.secrets. If you need any additional info or want me to point the Linksys VPN routers to one of your servers so you can capture what exactly it sends please let me know. The current debug level is set to default which is 1.
Thank you again for your help!
#1 Updated by Darko Kraus 2 months ago
I attached more detailed log with level=2.
Also I wanted to add, when you type ipsec status you get...
root@FWJUPITER:/etc# ipsec status
Security Associations (2 up, 0 connecting):
GW-REMUSR452: ESTABLISHED 5 seconds ago, 172.16.95.30[FWJUPITER.domain1.org]
GW-REMUSR451: ESTABLISHED 35 seconds ago, 172.16.95.30[FWJUPITER.domain1.org
The tunnel never gets established, but it creates multiple entries of the IKE? First there was only one, then when I typed ipsec status again, I got 2 entries.
#2 Updated by Tobias Brunner 2 months ago
- Category set to ikev1
- Status changed from New to Closed
- Assignee set to Tobias Brunner
- Priority changed from Urgent to Normal
- Target version set to 5.8.4
- Resolution set to Fixed
The crash has already been fixed with 5.8.4.
The reason it got triggered here is because your ESP proposals don't match (the initiator want's to use PFS, i.e. proposes a DH group, the responder doesn't).
#3 Updated by Darko Kraus 2 months ago
Just wanted to give you an update. Appears that version 5.8.2 was not affected by this bug. This bug exists only in 5.8.3 version. I have tested 5.8.2, 5.8.3 and 5.8.4 where 5.8.2 and 5.8.4 work fine and 5.8.3 is the only one that crashes. Thank you for a quick update!