[ClusterLabs] Libreswan state machine

Ryszard Styczynski rstyczynski at gmail.com
Thu Apr 8 03:28:44 EDT 2021


I'm looking for IPsec state machine implemented in Libreswan. I may guess how states are correlated, but having a state machine will give me a final answer.

My current question is what is a next state after STATE_QUICK_R2? Should IPsec engine wait for rekeying? How long? How many times should repeat waiting step? Should go back to STATE_MAIN and delete SA? When?

I currently see i my system that:
1. STATE_QUICK_R2 may go to STATE_MAIN_R3, delete SA, and reestablish connection from Phase 1 - it happens after 15 seconds
2. STATE_QUICK_R2 may go to STATE_QUICK_R1 and process rekeying - it happens when peer responds quicker than 15 seconds

How to understand why sometimes SA is deleted (what causes 5 minutes line drop), and sometimes rekeying is completed? How to control time limits? 


More information about the Users mailing list