[strongSwan] A Possible Issue in "ipsec update" command
Sajal Malhotra
sajalmalhotra at gmail.com
Thu Jul 15 12:41:20 CEST 2010
Hi All,
I am facing an issue with the ikev2 stack.
Please refer to the ipsec.conf file below:
Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs using
same Tunnel (IKE SA).
Problem is that when i change the configuration of connection SA1 and fire
"ipsec update" then both SA1 and SA2 configuration are deleted and
thereafter if i try to bring up the SA2, i see an error saying " no config
named 'SA2'"
I am performing following steps:
1. bring up SA1 "ipsec up SA1"
2. bring up SA2 "ipsec up SA2"
3. close SA1
4. close SA2
5. Update the configuration of only SA1 (changed leftprotoport and
rightprotoport to 49154).
6. now i fired "ipsec update" command.
7. now try to bring up connection SA2. "ipsec up SA2"
8. In logs attached observe that an error is displayed saying: "charon:
09[CFG] no config named 'SA2'". Please observe that even though i have NOT
updated SA2, connection in steps above. It seems that SA2 configuration has
got deleted in step 6 above and hence it displays the error.
Can you please confirm if the behavior is correct and if am doing any
mistake in my configuration
ipsec.conf
_____________________
config setup
cachecrls=no
charonstart=yes
plutostart=no
strictcrlpolicy=no
uniqueids=no
ca section1
cacert=/tmp/RootCert070f33_7349bbdb.pem
auto=add
conn SA1
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
dpddelay=0
rekeymargin=4m
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
authby=rsasig
left=20.20.20.20
leftsubnet=10.10.10.10/32
right=20.20.20.21
rightsubnet=10.10.10.12/32
leftprotoport=udp/49156
rightprotoport=udp/49156
leftcert=/tmp/BTScert.pem
rightid=%any
auto=add
conn SA2
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
dpddelay=0
rekeymargin=4m
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
authby=rsasig
left=20.20.20.20
leftsubnet=10.10.10.10/32
right=20.20.20.21
rightsubnet=10.10.10.12/32
leftprotoport=udp/65535
rightprotoport=udp/65535
leftcert=/tmp/BTScert.pem
rightid=%any
auto=add
Thanks and Regards
Sajal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100715/8ce7f597/attachment.html>
-------------- next part --------------
Jul 14 15:57:56 sajal-desktop charon: 01[DMN] starting charon (strongSwan Version 4.2.8)
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loaded private key file '/home/sajal/cer17Jun/Key.pem'
Jul 14 15:57:56 sajal-desktop charon: 01[JOB] spawning 16 worker threads
Jul 14 15:57:56 sajal-desktop charon: 03[CFG] received stroke: add ca 'CA1'
Jul 14 15:57:56 sajal-desktop charon: 03[LIB] loaded certificate file '/home/sajal/cer17Jun/cacert.pem'
Jul 14 15:57:56 sajal-desktop charon: 03[CFG] added ca 'CA1'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA1'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local
Jul 14 15:57:56 sajal-desktop charon: 08[LIB] loaded certificate file '/home/sajal/cer17Jun/Mycert.pem'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA2'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local
Jul 14 15:57:56 sajal-desktop charon: 08[LIB] loaded certificate file '/home/sajal/cer17Jun/Mycert.pem'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] added child to existing configuration 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 13[CFG] received stroke: delete connection 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 13[CFG] deleted connection 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local
Jul 14 15:58:17 sajal-desktop charon: 08[LIB] loaded certificate file '/home/sajal/cer17Jun/Mycert.pem'
Jul 14 15:58:17 sajal-desktop charon: 08[CFG] peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN
Jul 14 15:58:57 sajal-desktop charon: 09[CFG] received stroke: initiate 'SA2'
Jul 14 15:58:57 sajal-desktop charon: 09[CFG] no config named 'SA2'
More information about the Users
mailing list