a***@bertelsmann.de
2018-08-08 06:53:38 UTC
Hi,
we are facing the following problem:
We are using a Strongswan-Client (Initiator, details below) to open up a Tunnel with reauthentication enabled and make_before_break=yes.
After opening up a tunnel initially, we see local (clients) ip routes as follows (as expected):
ip route list table 220
10.0.0.0/8 via 146.185.113.17 dev eth0 proto static src 10.23.7.205
188.144.0.0/15 via 146.185.113.17 dev eth0 proto static src 10.23.7.205
During reauthentication with make_before_break:
As long as we receive the same virtual IP everything is fine, the ip routes are kept and traffic still can flow through this tunnel.
But once we receive a different virtual IP from the responder, the ipsec still says "tunnel is active", but the old ip routes get deleted and no new ones are set up.
So, ip route table 220 is empty and hence no traffic will flow through this still active tunnel.
Please note, once we disable make_before_break (which is not an option for us), everything runs smooth, even with new virtual IPs during reauthentication.
Any idea ?
Thanks for your help !
BR, Alex.
Clients OS:
Linux gtegklvk04067 4.4.114-94.14-default #1 SMP Mon Feb 19 14:46:07 UTC 2018 (14c5f0f) x86_64 x86_64 x86_64 GNU/Linux
Strongswan Clients Version:
Linux strongSwan U5.5.3-20180605_3/K4.4.114-94.14-default
ipsec.conf
# basic configuration
config setup
charondebug="cfg 2, dmn 2, ike 2, net 9, job -1"
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
dpdaction=clear
dpddelay=300s
rightid=%any
leftcert=my.C_NK_VPN.pem
leftsourceip=%config
forceencaps=yes
conn RU1_TI_1
right=146.185.113.4
rightsubnet=10.0.0.0/8,188.144.0.0/15
lifetime=5m
ikelifetime=2m
margintime=1m
rekeyfuzz=0%
auto=add
strongswan.conf
charon {
make_before_break = yes
hash_and_url = no
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
we are facing the following problem:
We are using a Strongswan-Client (Initiator, details below) to open up a Tunnel with reauthentication enabled and make_before_break=yes.
After opening up a tunnel initially, we see local (clients) ip routes as follows (as expected):
ip route list table 220
10.0.0.0/8 via 146.185.113.17 dev eth0 proto static src 10.23.7.205
188.144.0.0/15 via 146.185.113.17 dev eth0 proto static src 10.23.7.205
During reauthentication with make_before_break:
As long as we receive the same virtual IP everything is fine, the ip routes are kept and traffic still can flow through this tunnel.
But once we receive a different virtual IP from the responder, the ipsec still says "tunnel is active", but the old ip routes get deleted and no new ones are set up.
So, ip route table 220 is empty and hence no traffic will flow through this still active tunnel.
Please note, once we disable make_before_break (which is not an option for us), everything runs smooth, even with new virtual IPs during reauthentication.
Any idea ?
Thanks for your help !
BR, Alex.
Clients OS:
Linux gtegklvk04067 4.4.114-94.14-default #1 SMP Mon Feb 19 14:46:07 UTC 2018 (14c5f0f) x86_64 x86_64 x86_64 GNU/Linux
Strongswan Clients Version:
Linux strongSwan U5.5.3-20180605_3/K4.4.114-94.14-default
ipsec.conf
# basic configuration
config setup
charondebug="cfg 2, dmn 2, ike 2, net 9, job -1"
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
dpdaction=clear
dpddelay=300s
rightid=%any
leftcert=my.C_NK_VPN.pem
leftsourceip=%config
forceencaps=yes
conn RU1_TI_1
right=146.185.113.4
rightsubnet=10.0.0.0/8,188.144.0.0/15
lifetime=5m
ikelifetime=2m
margintime=1m
rekeyfuzz=0%
auto=add
strongswan.conf
charon {
make_before_break = yes
hash_and_url = no
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf