IPsec VPN Problem 20.1.4

[HerrPenaten]

Hi

after update to 20.1.4 i have an problem with IPsec
Connection could established but after 1 hour it will disconnect.
And could only retablished manually
In logs i get this

2020-04-16T08:40:50   ipsec_starter[6338]: 'con3' routed
2020-04-16T08:40:50   ipsec_starter[6338]:
2020-04-16T08:40:50   ipsec_starter[6338]: 'con1' routed
2020-04-16T08:40:50   ipsec_starter[6338]: charon (39754) started after 20 ms
2020-04-16T08:40:45   kernel: pid 73791 (charon), uid 0: exited on signal 6 (core dumped)
2020-04-16T08:40:45   ipsec_starter[6338]: charon has died -- restart scheduled (5sec)
2020-04-16T08:39:39   ipsec_starter[6338]:
2020-04-16T08:39:39   ipsec_starter[6338]: 'con3' routed
2020-04-16T08:39:39   ipsec_starter[6338]:
2020-04-16T08:39:39   ipsec_starter[6338]: 'con1' routed
2020-04-16T08:39:39   ipsec_starter[6338]: 'con1' routed
2020-04-16T08:39:39   ipsec_starter[6338]: charon (73791) started after 20 ms
2020-04-16T08:39:34   kernel: pid 24103 (charon), uid 0: exited on signal 6 (core dumped)
2020-04-16T08:39:34   ipsec_starter[6338]: charon has died -- restart scheduled (5sec)
2020-04-16T08:39:12   kernel: -> pid: 24103 ppid: 6338 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
2020-04-16T08:39:12   kernel: [HBSD SEGVGUARD] [charon (24103)] Suspension expired.

THX for help

BR

[kx001]

Check your 'Lifetime' setting at both end, default setting is 28800 seconds(8 hours) if you just leave it as is.

[shadesh]

Don't think a Signal 6 had something to do with the SA Lifetime... this looks like a more serious error to me.

[HerrPenaten]

THX but is the same on both side

[mfedv]

with log lines un-reversed and some entries left out:

2020-04-16T08:39:12   kernel: [HBSD SEGVGUARD] [charon (24103)] Suspension expired.
2020-04-16T08:39:12   kernel: -> pid: 24103 ppid: 6338 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
2020-04-16T08:39:34   ipsec_starter[6338]: charon has died -- restart scheduled (5sec)
2020-04-16T08:39:34   kernel: pid 24103 (charon), uid 0: exited on signal 6 (core dumped)
2020-04-16T08:39:39   ipsec_starter[6338]: charon (73791) started after 20 ms
2020-04-16T08:40:45   ipsec_starter[6338]: charon has died -- restart scheduled (5sec)
2020-04-16T08:40:45   kernel: pid 73791 (charon), uid 0: exited on signal 6 (core dumped)
2020-04-16T08:40:50   ipsec_starter[6338]: charon (39754) started after 20 ms

charon (IKE daemon) keeps crashing (signal 6 = ABRT), usually an indication of memory problems, and SIGVGUARD feature of Hardened BSD has kicked in (s. first line) and has suspended charon execution for some time because of repeated crashes.

This looks like some serious problem. Not sure if memory pressure alone can cause this. Can you check memory usage (dashboard), log entries under System/Log Files/General or better yet "dmesg" output from a root command line (console or ssh login)?

[franco]

Looks like a strongswan issue in 5.8.3?

https://wiki.strongswan.org/versions/77

Version 5.8.4
In IKEv1 Quick Mode make sure that a proposal exists before determining lifetimes (fixes a crash
due to a null-pointer dereference in 5.8.3, cb26c5547c).

[franco]

This will help until 20.1.5 is out:

# opnsense-revert -r 20.1.3 strongswan


Cheers,
Franco

[HerrPenaten]

SSD have some I/O Problems.
Install new SSD an works again.

THX for help