[strongSwan] virtual IP assignement fails if previous tunnel not properly shutdown

Benoit Foucher benoit at bittrap.com
Thu Dec 2 11:02:33 CET 2010


Hello,

I have a machine that connects to a strongSwan gateway to establish a VPN connection (both machines are Linux machines with strongSwan 4.4.1, using ikev2). It gets a virtual IP from the gateway (gw is using rightsourceip=192.168.132.0/22). 

From time to time, when I reboot the machine, the assignment of the IP fails on reboot. I suspect this is because the previous tunnel wasn't properly shutdown when the machine went down before the reboot. Is there a way to force the IP address assignment for the new tunnel in this case? The log below shows the previous tunnel being deleted and the new one being established and the virtual IP assignment error. Let me know if you need more information and thanks for your help.

====
15[IKE] authentication of 'gw.foo.com' (myself) with RSA signature successful
15[IKE] deleting duplicate IKE_SA for peer 'CN=game.foo.com' due to uniqueness policy
15[IKE] deleting IKE_SA instance[4] between 10.12.195.22[gw.foo.com]...10.24.98.213[CN=game.foo.com]
15[IKE] sending DELETE for IKE_SA instance[4]
15[ENC] generating INFORMATIONAL request 0 [ D ]
15[NET] sending packet: from 10.12.195.22[4500] to 10.24.98.213[4500]
15[IKE] IKE_SA instance[6] established between 10.12.195.22[gw.foo.com]...10.24.98.213[CN=game.foo.com]
15[IKE] scheduling reauthentication in 10515s
15[IKE] maximum IKE_SA lifetime 10695s
15[IKE] sending end entity cert "xxx"
15[IKE] peer requested virtual IP %any
15[CFG] 'CN=game.foo.com' already has an online lease, unable to assign address
15[CFG] acquiring address from pool 'instance' failed
15[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
15[IKE] configuration payload negotation failed, no CHILD_SA built
====

Cheers,
Benoit.





More information about the Users mailing list