[strongSwan-dev] Any route change triggers unexpected IKE-SA reauth if left is not on output interface
christophe.gouault at 6wind.com
Thu Nov 10 15:15:05 CET 2016
Hi strongSwan team,
I encounter unexpected IKE-SA reauthentications whenever something
changes in the routing table:
Connections are configured on a multihomed machine, so that left is a
permanent address configured on a user loopback interface (Linux dummy
interface), precisely to be independant from routing. MOBIKE is
Whenever a change occurs in the routing table, charon verifies for all
IKE_SA that the path to the remote peer is still valid.
This verification, performed by the ike_sa.roam() method, always
concludes that the path is no longer valid, and triggers a reauth.
In fact the definition of "valid" is quite restrictive: ike_sa.roam()
invokes is_current_path_valid(this), which performs a route lookup to
the peer address, and checks that the route "preferred source address"
is equal to the IKE_SA local address. Which is not the case because
the IKE_SA local address is not configured on the output interface.
I understand that when MOBIKE is enabled or when left is %any, we want
to check if we can find a better source address to join the peer.
But when MOBIKE is disabled and the source address is explicitly
specified in the conf, the existence of a valid route to the peer
should be enough, whatever the "preferred source address" is suggested
by the routing table.
Is there a way to avoid this undesirable reauthentication (without
ignoring routing event)?
More information about the Dev