[strongSwan] IKEv1 connection issues after upgrading from 4.4.1 to 4.5.0

Benoit Foucher benoit at bittrap.com
Thu Dec 2 20:53:58 CET 2010


Hi,

I've upgraded from 4.4.1 to 4.5.0 today to workaround the issue where a given peer ID can't acquire multiple virtual IP addresses. However, my IKEv1 connections don't work anymore now. I did add keyexchange=ikev1 to make sure to use pluto. I've attached my config below.

The tunnel is established but it seems there are some problems with routing. If I ping my strongSwan gateway from the peer network, the gateway correctly receives the ICMP packets (according to tcpdump on the gateway). However, the replies don't seem to be sent back over the tunnel (I don't see any ICMP reply with tcpdump on the gateway and the ping from the peer doesn't get any reply either).

The only suspicious thing are the errors below which come from charon despite the fact that the tunnel is established with pluto. Could this be related to the change where pluto is now using netlink for setting up policies? Here are the messages:

 charon: 05[KNL] received an SADB_ACQUIRE with policy id 140489 but no matching policy found
 charon: 05[KNL] creating acquire job for policy 10.12.15.22/32 === 27.21.27.40/32 with reqid {0}
 charon: 03[CFG] trap not found, unable to acquire reqid 0

My ipsec.conf for that connection:
---
config setup
        plutodebug=control
        crlcheckinterval=180
        strictcrlpolicy=no
        charonstart=yes
        plutostart=yes
        nat_traversal=yes

conn %default
        ikelifetime=3h
        lifetime=3h
        rekeymargin=3m
        keyingtries=1
        left=%defaultroute
        leftid=@gw.foo.com
        leftsourceip=192.168.128.1
        leftsubnet=192.168.128.0/17
        leftcert=gw_cert.pem
        leftfirewall=yes
        rightfirewall=yes

conn sj-gw
        keyexchange=ikev1
        right=%any
        leftsubnet=192.168.0.0/16
        rightsubnet=192.168.0.0/16
        rightid=@sj-gw.foo.com
        auto=add
----

Any ideas what could be wrong? Is there some additional settings require for 4.5.0 now?

Thanks for the help!

Cheers,
Benoit.





More information about the Users mailing list