[strongSwan] IKEv1 connection issues after upgrading from 4.4.1 to 4.5.0
Benoit Foucher
benoit at bittrap.com
Thu Dec 2 20:53:58 CET 2010
Hi,
I've upgraded from 4.4.1 to 4.5.0 today to workaround the issue where a given peer ID can't acquire multiple virtual IP addresses. However, my IKEv1 connections don't work anymore now. I did add keyexchange=ikev1 to make sure to use pluto. I've attached my config below.
The tunnel is established but it seems there are some problems with routing. If I ping my strongSwan gateway from the peer network, the gateway correctly receives the ICMP packets (according to tcpdump on the gateway). However, the replies don't seem to be sent back over the tunnel (I don't see any ICMP reply with tcpdump on the gateway and the ping from the peer doesn't get any reply either).
The only suspicious thing are the errors below which come from charon despite the fact that the tunnel is established with pluto. Could this be related to the change where pluto is now using netlink for setting up policies? Here are the messages:
charon: 05[KNL] received an SADB_ACQUIRE with policy id 140489 but no matching policy found
charon: 05[KNL] creating acquire job for policy 10.12.15.22/32 === 27.21.27.40/32 with reqid {0}
charon: 03[CFG] trap not found, unable to acquire reqid 0
My ipsec.conf for that connection:
---
config setup
plutodebug=control
crlcheckinterval=180
strictcrlpolicy=no
charonstart=yes
plutostart=yes
nat_traversal=yes
conn %default
ikelifetime=3h
lifetime=3h
rekeymargin=3m
keyingtries=1
left=%defaultroute
leftid=@gw.foo.com
leftsourceip=192.168.128.1
leftsubnet=192.168.128.0/17
leftcert=gw_cert.pem
leftfirewall=yes
rightfirewall=yes
conn sj-gw
keyexchange=ikev1
right=%any
leftsubnet=192.168.0.0/16
rightsubnet=192.168.0.0/16
rightid=@sj-gw.foo.com
auto=add
----
Any ideas what could be wrong? Is there some additional settings require for 4.5.0 now?
Thanks for the help!
Cheers,
Benoit.
More information about the Users
mailing list