[strongSwan] A Possible Issue in "ipsec update" command

Sajal Malhotra sajalmalhotra at gmail.com
Thu Jul 22 19:43:05 CEST 2010


HI Guys!

Would be greatfull if you could provide some help on this issue.

BR
Sajal

On Thu, Jul 15, 2010 at 4:11 PM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:

> Hi All,
>
> I am facing an issue with the ikev2 stack.
> Please refer to the ipsec.conf file below:
>
> Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs
> using same Tunnel (IKE SA).
> Problem is that when i change the configuration of connection SA1 and fire
> "ipsec update" then both SA1 and SA2 configuration are deleted and
> thereafter if i try to bring up the SA2, i see an error saying " no config
> named 'SA2'"
> I am performing following steps:
> 1. bring up SA1 "ipsec up SA1"
> 2. bring up SA2 "ipsec up SA2"
> 3. close SA1
> 4. close SA2
> 5. Update the configuration of only SA1 (changed leftprotoport and
> rightprotoport to 49154).
> 6. now i fired "ipsec update" command.
> 7. now try to bring up connection SA2. "ipsec up SA2"
> 8. In logs attached observe that an error is displayed saying: "charon:
> 09[CFG] no config named 'SA2'". Please observe that even though i have NOT
> updated SA2, connection in steps above. It seems that SA2 configuration has
> got deleted in step 6 above and hence it displays the error.
>
> Can you please confirm if the behavior is correct and if am doing any
> mistake in my configuration
>
> ipsec.conf
> _____________________
>
> config setup
>  cachecrls=no
>  charonstart=yes
>  plutostart=no
>  strictcrlpolicy=no
>  uniqueids=no
>
> ca section1
>  cacert=/tmp/RootCert070f33_7349bbdb.pem
>  auto=add
>
> conn SA1
>  ikelifetime=24h
>  keyexchange=ikev2
>  keyingtries=%forever
>  keylife=90m
>  reauth=no
>  rekey=yes
>  mobike=no
>  dpddelay=0
>  rekeymargin=4m
>  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>  esp=aes128-sha1-modp1024,3des-sha1-modp1024!
>  authby=rsasig
>  left=20.20.20.20
>  leftsubnet=10.10.10.10/32
>  right=20.20.20.21
>  rightsubnet=10.10.10.12/32
>  leftprotoport=udp/49156
>  rightprotoport=udp/49156
>  leftcert=/tmp/BTScert.pem
>  rightid=%any
>  auto=add
>
> conn SA2
>  ikelifetime=24h
>  keyexchange=ikev2
>  keyingtries=%forever
>  keylife=90m
>  reauth=no
>  rekey=yes
>  mobike=no
>  dpddelay=0
>  rekeymargin=4m
>  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>  esp=aes128-sha1-modp1024,3des-sha1-modp1024!
>  authby=rsasig
>  left=20.20.20.20
>  leftsubnet=10.10.10.10/32
>  right=20.20.20.21
>  rightsubnet=10.10.10.12/32
>  leftprotoport=udp/65535
>  rightprotoport=udp/65535
>  leftcert=/tmp/BTScert.pem
>  rightid=%any
>  auto=add
>
> Thanks and Regards
> Sajal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100722/8057a3e1/attachment.html>


More information about the Users mailing list