<html><body><div style="color:#000; background-color:#fff; font-family:arial, helvetica, sans-serif;font-size:12pt"><div>Dear list:</div><div><br></div><div>Our customer running StrongSwan 4.6.1 want to setup two external interfaces in their VPN gateway, one for cellular and one for wi-fi. <br></div><div>They reported that the road warriors can only switch once. Subsequent attempts to switch back to the initially connected interface won't work.</div><div><br></div><div>We find that the IP addr initially used to setup the tunnel is not stored in the "Mobike additional addresses list". It is accessible from the Security Association. However, after a Mobike switch, the SA is updated with the new IP address, and the initial IP addr is lost. <br></div><pre class="bz_comment_text" id="comment_text_4">To verify this theory, we made the following change in ike_mobike.c:<br>------------------------------------------------------------<br>if (first)<br>{ /* an
ADDITIONAL_*_ADDRESS means replace, so flush once */<br> this->ike_sa->remove_additional_addresses(this->ike_sa);<br> first = FALSE;<br><br> // Added code to seed the IP address in SA in the additional_address list<br> host = this->ike_sa->get_other_host(this->ike_sa);<br> host = host->clone(host);<br> this->ike_sa->add_additional_address(this->ike_sa, host);<br>}<br>------------------------------------------------------------<br>After applying this change to a road warrior, it can switch back and forth between the 2 interfaces.<br><br>Questions:<br>1. Is there reason why the peer IP address in the Security Association not stored in the additional_address list?<br>2. Can anyone see potential problems with the code change above? <br> Not sure if there may be situations when ike_sa->get_other_host() may not return the correct gateway address.<br> The change tested OK in our lab though.<br>3. Another possibility
is to change the gateway side to include "me" in the Mobike additional addresses.<br> It is easier to upgrade one host than upgrading a fleet of 800 trucks. Similar to Question 1, is there<br> reason that "me" must be excluded from the Mobike additional addresses?<br><br>Thanks in advance for help.<br>Simon <br></pre></div></body></html>