[strongSwan] A Possible Issue in "ipsec update" command

Sajal Malhotra sajalmalhotra at gmail.com
Thu Jul 15 12:41:20 CEST 2010


Hi All,

I am facing an issue with the ikev2 stack.
Please refer to the ipsec.conf file below:

Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs using
same Tunnel (IKE SA).
Problem is that when i change the configuration of connection SA1 and fire
"ipsec update" then both SA1 and SA2 configuration are deleted and
thereafter if i try to bring up the SA2, i see an error saying " no config
named 'SA2'"
I am performing following steps:
1. bring up SA1 "ipsec up SA1"
2. bring up SA2 "ipsec up SA2"
3. close SA1
4. close SA2
5. Update the configuration of only SA1 (changed leftprotoport and
rightprotoport to 49154).
6. now i fired "ipsec update" command.
7. now try to bring up connection SA2. "ipsec up SA2"
8. In logs attached observe that an error is displayed saying: "charon:
09[CFG] no config named 'SA2'". Please observe that even though i have NOT
updated SA2, connection in steps above. It seems that SA2 configuration has
got deleted in step 6 above and hence it displays the error.

Can you please confirm if the behavior is correct and if am doing any
mistake in my configuration

ipsec.conf
_____________________

config setup
 cachecrls=no
 charonstart=yes
 plutostart=no
 strictcrlpolicy=no
 uniqueids=no

ca section1
 cacert=/tmp/RootCert070f33_7349bbdb.pem
 auto=add

conn SA1
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=aes128-sha1-modp1024,3des-sha1-modp1024!
 authby=rsasig
 left=20.20.20.20
 leftsubnet=10.10.10.10/32
 right=20.20.20.21
 rightsubnet=10.10.10.12/32
 leftprotoport=udp/49156
 rightprotoport=udp/49156
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add

conn SA2
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=aes128-sha1-modp1024,3des-sha1-modp1024!
 authby=rsasig
 left=20.20.20.20
 leftsubnet=10.10.10.10/32
 right=20.20.20.21
 rightsubnet=10.10.10.12/32
 leftprotoport=udp/65535
 rightprotoport=udp/65535
 leftcert=/tmp/BTScert.pem
 rightid=%any
 auto=add

Thanks and Regards
Sajal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100715/8ce7f597/attachment.html>
-------------- next part --------------
Jul 14 15:57:56 sajal-desktop charon: 01[DMN] starting charon (strongSwan Version 4.2.8)
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 14 15:57:56 sajal-desktop charon: 01[CFG]   loaded private key file '/home/sajal/cer17Jun/Key.pem'
Jul 14 15:57:56 sajal-desktop charon: 01[JOB] spawning 16 worker threads
Jul 14 15:57:56 sajal-desktop charon: 03[CFG] received stroke: add ca 'CA1'
Jul 14 15:57:56 sajal-desktop charon: 03[LIB]   loaded certificate file '/home/sajal/cer17Jun/cacert.pem'
Jul 14 15:57:56 sajal-desktop charon: 03[CFG] added ca 'CA1'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA1'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local
Jul 14 15:57:56 sajal-desktop charon: 08[LIB]   loaded certificate file '/home/sajal/cer17Jun/Mycert.pem'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG]   peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA2'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local
Jul 14 15:57:56 sajal-desktop charon: 08[LIB]   loaded certificate file '/home/sajal/cer17Jun/Mycert.pem'
Jul 14 15:57:56 sajal-desktop charon: 08[CFG]   peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN
Jul 14 15:57:56 sajal-desktop charon: 08[CFG] added child to existing configuration 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 13[CFG] received stroke: delete connection 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 13[CFG] deleted connection 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA1'
Jul 14 15:58:17 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local
Jul 14 15:58:17 sajal-desktop charon: 08[LIB]   loaded certificate file '/home/sajal/cer17Jun/Mycert.pem'
Jul 14 15:58:17 sajal-desktop charon: 08[CFG]   peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN
Jul 14 15:58:57 sajal-desktop charon: 09[CFG] received stroke: initiate 'SA2'
Jul 14 15:58:57 sajal-desktop charon: 09[CFG] no config named 'SA2'


More information about the Users mailing list