[strongSwan-dev] Any route change triggers unexpected IKE-SA reauth if left is not on output interface

Christophe Gouault christophe.gouault at 6wind.com
Thu Nov 10 15:15:05 CET 2016

Hi strongSwan team,

I encounter unexpected IKE-SA reauthentications whenever something
changes in the routing table:

Connections are configured on a multihomed machine, so that left is a
permanent address configured on a user loopback interface (Linux dummy
interface), precisely to be independant from routing. MOBIKE is

Whenever a change occurs in the routing table, charon verifies for all
IKE_SA that the path to the remote peer is still valid.

This verification, performed by the ike_sa.roam() method, always
concludes that the path is no longer valid, and triggers a reauth.

In fact the definition of "valid" is quite restrictive: ike_sa.roam()
invokes is_current_path_valid(this), which performs a route lookup to
the peer address, and checks that the route "preferred source address"
is equal to the IKE_SA local address. Which is not the case because
the IKE_SA local address is not configured on the output interface.

I understand that when MOBIKE is enabled or when left is %any, we want
to check if we can find a better source address to join the peer.

But when MOBIKE is disabled and the source address is explicitly
specified in the conf, the existence of a valid route to the peer
should be enough, whatever the "preferred source address" is suggested
by the routing table.

Is there a way to avoid this undesirable reauthentication (without
ignoring routing event)?


More information about the Dev mailing list