[strongSwan] Interface address change not acted upon

Jan Engelhardt jengelh at medozas.de
Mon Aug 23 11:05:44 CEST 2010


On Monday 2010-08-23 09:44, Martin Willi wrote:
>
>> Assume a client where charon is configured with a simple tunnel 
>> using left=%defaultroute right=vpnserver. On this client also runs a 
>> DHCP client (dhcpcd).
>
>%defaultroute is resolved by ipsec starter and not automatically
>updated. I'd suggest to use left=%any, charon will resolve a source
>address dynamically in this case.
>
>> charon seems to continue to use the old address, despite having noticed
>> that the old address is gone from the interface.
>
>A log file would help to diagnose the problem. Is the tunnel running
>over a ppp interface?

Just eth0. Yes, there are some pesky dhcpds in shoddy (home) router
products around that always give you a new address it seems.

ipsec.conf:

config setup
	plutostart=no
	uniqueids=no

conn foo
	left=%defaultroute
	leftsourceip=%config	# server configured to hand out 1.0.0.0/8
	right=81.20.113.211
	leftcert=foo.pem
	rightcert=foo.pem
	auto=start
	keyexchange=ikev2

>> Is there a configuration option that I need to add so it will 
>> reestablish the tunnel using the new address?
>
>MOBIKE is enabled by default, no special configuration is required.

MOBIKE works as intended - if the address change is instant:

01:47:19 charon: 02[IKE] sending keep alive
01:47:19 charon: 02[NET] sending packet: from 192.168.100.212[4500] to 81.20.113.211[4500]
01:47:22 charon: 06[KNL] 192.168.100.212 disappeared from eth0
01:47:22 charon: 06[KNL] 192.168.100.213 appeared on eth0
01:47:23 charon: 01[IKE] requesting address change using MOBIKE
01:47:23 charon: 01[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]
01:47:23 charon: 01[IKE] checking original path 192.168.100.213[4500] - 81.20.113.211[4500]
01:47:23 charon: 01[NET] sending packet: from 192.168.100.213[4500] to 81.20.113.211[4500]
01:47:23 charon: 01[IKE] checking path 192.168.100.213[4500] - 192.168.105.2[4500]
01:47:23 charon: 01[NET] sending packet: from 192.168.100.213[4500] to 192.168.105.2[4500]
01:47:23 charon: 01[IKE] checking path 192.168.100.213[4500] - 81.20.113.210[4500]
01:47:23 charon: 01[NET] sending packet: from 192.168.100.213[4500] to 81.20.113.210[4500]
01:47:23 charon: 11[NET] received packet: from 81.20.113.210[4500] to 192.168.100.213[4500]
01:47:23 charon: 11[ENC] parsed INFORMATIONAL response 2 [ ]
01:47:23 charon: 11[ENC] generating INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ]
01:47:23 charon: 11[NET] sending packet: from 192.168.100.213[4500] to 81.20.113.210[4500]
01:47:23 charon: 03[NET] received packet: from 81.20.113.210[4500] to 192.168.100.213[4500]
01:47:23 charon: 03[ENC] parsed INFORMATIONAL response 3 [ N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ]
01:47:40 kernel: [ 2125.649131] device eth0 left promiscuous mode
01:47:46 charon: 11[IKE] sending keep alive
01:47:46 charon: 11[NET] sending packet: from 192.168.100.213[4500] to 81.20.113.210[4500]

But, if the interface is left for more than a glimpse without any
public address, charon dies and is restarted - as you say with the address
that ipsec_starter remembered:

...
01:48:06 charon: 03[IKE] sending keep alive
01:48:06 charon: 03[NET] sending packet: from 192.168.100.213[4500] to 81.20.113.210[4500]
01:48:26 charon: 06[KNL] 192.168.100.213 disappeared from eth0
01:48:26 ipsec_starter[4387]: charon has died -- restart scheduled (5sec)
01:48:31 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
01:48:31 charon: 00[CFG] attr-sql plugin: database URI not set
01:48:31 charon: 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
01:48:31 charon: 00[KNL] listening on interfaces:
01:48:31 charon: 00[KNL]   eth0
01:48:31 charon: 00[KNL]     1.0.0.1
01:48:31 charon: 00[KNL]     fe80::a00:27ff:fecf:3552
01:48:31 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01:48:31 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01:48:31 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01:48:31 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01:48:31 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
01:48:31 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
01:48:31 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/foo.pem.key'
01:48:31 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/foo.pem.key'
01:48:31 charon: 00[CFG] sql plugin: database URI not set
01:48:31 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
01:48:31 charon: 00[CFG] no RADUIS secret defined
01:48:31 charon: 00[CFG] RADIUS plugin initialization failed
01:48:31 charon: 00[LIB] plugin 'eap-radius': failed to load - eap_radius_plugin_create returned NULL
01:48:31 charon: 00[LIB] plugin 'nm': failed to load '/usr/lib/ipsec/plugins/libstrongswan-nm.so' - /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
01:48:31 charon: 00[CFG] HA config misses local/remote address
01:48:31 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
01:48:31 charon: 00[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac agent gmp attr kernel-netlink socket-raw socket-dynamic farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve 
01:48:31 charon: 00[JOB] spawning 16 worker threads
01:48:31 ipsec_starter[4387]: charon (4702) started after 40 ms
01:48:31 charon: 08[CFG] received stroke: add connection 'foo'
01:48:31 charon: 08[CFG] left nor right host is our side, assuming left=local
01:48:31 charon: 08[CFG]   loaded certificate "C=DE, OU=Foo" from '/etc/ipsec.d/certs/foo.pem'
01:48:31 charon: 08[CFG]   id '192.168.100.212' not confirmed by certificate, defaulting to 'C=DE, OU=Foo'
01:48:31 charon: 08[CFG]   loaded certificate "C=DE, OU=Foo" from '/etc/ipsec.d/certs/foo.pem'
01:48:31 charon: 08[CFG]   id '81.20.113.211' not confirmed by certificate, defaulting to 'C=DE, OU=Foo'
01:48:31 charon: 08[CFG] added configuration 'foo'
01:48:31 charon: 11[CFG] received stroke: initiate 'foo'
01:48:31 charon: 11[IKE] initiating IKE_SA foo[1] to 81.20.113.211
01:48:31 charon: 11[IKE] initiating IKE_SA foo[1] to 81.20.113.211
01:48:31 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
01:48:31 charon: 11[NET] sending packet: from 192.168.100.212[500] to 81.20.113.211[500]
01:48:31 charon: 09[NET] error writing to socket: Invalid argument
01:48:35 charon: 15[IKE] retransmit 1 of request with message ID 0
01:48:35 charon: 15[NET] sending packet: from 192.168.100.212[500] to 81.20.113.211[500]
01:48:35 charon: 09[NET] error writing to socket: Invalid argument
01:48:42 charon: 16[IKE] retransmit 2 of request with message ID 0
01:48:42 charon: 16[NET] sending packet: from 192.168.100.212[500] to 81.20.113.211[500]
01:48:42 charon: 09[NET] error writing to socket: Invalid argument
...

And uses .212 forevermore, even if a new one shows up later.

01:48:54 charon: 06[KNL] 192.168.100.213 appeared on eth0
01:48:54 charon: 02[IKE] reauthenticating IKE_SA due to address change
01:48:55 charon: 01[IKE] retransmit 3 of request with message ID 0
01:48:55 charon: 01[NET] sending packet: from 192.168.100.212[500] to 81.20.113.211[500]
01:48:55 charon: 09[NET] error writing to socket: Invalid argument

But per your explanation this is expected behavior. So far so good :)

I now also tried with %any and that looks more promising. However,
whenever there is no usable address on eth0, charon dies again.
Is this intended? Maybe it is the only way it gets the address
through ipsec_starter.





More information about the Users mailing list