[strongSwan] Question on "ipsec update"
Jaehong Park
jaehong.park at illumio.com
Mon Feb 16 21:11:09 CET 2015
Hi I see some strange behavior about ipsec update.
I have two questions regarding ipsec update.
Please see the question inline along the procedure below.
First of all, I am trying to configure IPSec based on port.
Mode is transport.
Version 5.2.1
My setup is
Carol(54.68.129.251) is initiator, and Alice(54.148.133.92) is responder.
Alice
conn Carol
leftauth=psk
left=%any
leftid=Alice
leftsubnet=0.0.0.0/0[tcp/5001], 0.0.0.0/0[tcp/8080]
rightauth=psk
rightid=%any
right=54.68.129.251
And Alice is running iperf server on 5001 and 8080.
Now Carol start configuration
conn Alice
leftauth=psk
left=%any
leftid=Carol
rightauth=psk
rightid=%any
right=54.148.133.92
rightsubnet=54.148.133.92[tcp/5001]
And do iperf client to Alice on port 5001.
And the status of SA is
Security Associations (1 up, 0 connecting):
Ubuntu-1[1]: ESTABLISHED 53 seconds ago, 172.31.3.88[a1143]...54.148.133.92[a1144]
Ubuntu-1{1}: INSTALLED, TRANSPORT, ESP in UDP SPIs: c1af5c4b_i c1373ed9_o
Ubuntu-1{1}: 172.31.3.88/32 === 54.148.133.92/32[tcp/5001]
and the data flows correct over encrypted channel.
Now if I update the connection of Carol with following
conn Alice
leftauth=psk
left=%any
leftid=a1143
rightauth=psk
rightid=%any
right=54.148.133.92
rightsubnet=54.148.133.92[tcp/5001]
conn Alice-2
also=Ubuntu-1
rightsubnet=54.148.133.92[tcp/8080]
Security Associations (2 up, 0 connecting):
Ubuntu-1[2]: ESTABLISHED 11 seconds ago, 172.31.3.88[a1143]...54.148.133.92[a1144]
Ubuntu-1-2{2}: INSTALLED, TRANSPORT, ESP in UDP SPIs: cc0fa925_i c7ba5044_o
Ubuntu-1-2{2}: 172.31.3.88/32 === 54.148.133.92/32[tcp/http-alt]
Ubuntu-1[1]: ESTABLISHED 4 minutes ago, 172.31.3.88[a1143]...54.148.133.92[a1144]
Ubuntu-1{1}: INSTALLED, TRANSPORT, ESP in UDP SPIs: c1af5c4b_i c1373ed9_o
Ubuntu-1{1}: 172.31.3.88/32 === 54.148.133.92/32[tcp/5001]
I can see the status update, but data over 5001 is interrupted while I still can make new iperf to 8080.
So the first question is why data over 5001 is interrupted, and I cannot make it again ever?
So I reverted the connection conn back to
conn Alice
leftauth=psk
left=%any
leftid=a1143
rightauth=psk
rightid=%any
right=54.148.133.92
rightsubnet=54.148.133.92[tcp/5001]
and do ipsec update.
However I still cannot make any data over 5001 while the data still flows over 8080.
And when I do ipsec status, I still see the two SAs.
Security Associations (2 up, 0 connecting):
Ubuntu-1[2]: ESTABLISHED 11 seconds ago, 172.31.3.88[a1143]...54.148.133.92[a1144]
Ubuntu-1-2{2}: INSTALLED, TRANSPORT, ESP in UDP SPIs: cc0fa925_i c7ba5044_o
Ubuntu-1-2{2}: 172.31.3.88/32 === 54.148.133.92/32[tcp/http-alt]
Ubuntu-1[1]: ESTABLISHED 4 minutes ago, 172.31.3.88[a1143]...54.148.133.92[a1144]
Ubuntu-1{1}: INSTALLED, TRANSPORT, ESP in UDP SPIs: c1af5c4b_i c1373ed9_o
Ubuntu-1{1}: 172.31.3.88/32 === 54.148.133.92/32[tcp/5001]
The second question is why data over 5001 is still in interrupted status and the deleted SA is still alive?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150216/436f8888/attachment-0001.html>
More information about the Users
mailing list