StrongSwan: Problematic cases
charon-nm: The connection goes nuts upon rekeying
You might have experienced this, too: You connect from home to your server with
IPsec and everything initially works fine – but some time later NetworkManager
signals that it has lost the connection although you can still access your
server.
However, in case both ends use charon everything
works fine, and the connection only breaks down if the Internet connection
between the two endpints of the IPsec connection is malfunctioning.
Here it's charon-nm that's causing the trouble that cannot handle the reauthentication attempt from the other party when the session keys are renewed. Charon-nm thinks that the connection was dead in this case and signals this to you, but the other end still considers the connection to be active and thereby still grants you access. Nuw you have to make the other end shut down the connection as well so that you can properly reenable it from your side.
You may counter this problem by disabling reauthentication upon rekeying. In this case the session keys are renewed without charon attempting to reauthenticate itself. This way charon-nm doesn't hiccup any more, and the connection is stable.
to the top