[strongSwan] A Possible Issue in "ipsec update" command
Sajal Malhotra
sajalmalhotra at gmail.com
Thu Jul 22 19:43:05 CEST 2010
HI Guys!
Would be greatfull if you could provide some help on this issue.
BR
Sajal
On Thu, Jul 15, 2010 at 4:11 PM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:
> Hi All,
>
> I am facing an issue with the ikev2 stack.
> Please refer to the ipsec.conf file below:
>
> Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs
> using same Tunnel (IKE SA).
> Problem is that when i change the configuration of connection SA1 and fire
> "ipsec update" then both SA1 and SA2 configuration are deleted and
> thereafter if i try to bring up the SA2, i see an error saying " no config
> named 'SA2'"
> I am performing following steps:
> 1. bring up SA1 "ipsec up SA1"
> 2. bring up SA2 "ipsec up SA2"
> 3. close SA1
> 4. close SA2
> 5. Update the configuration of only SA1 (changed leftprotoport and
> rightprotoport to 49154).
> 6. now i fired "ipsec update" command.
> 7. now try to bring up connection SA2. "ipsec up SA2"
> 8. In logs attached observe that an error is displayed saying: "charon:
> 09[CFG] no config named 'SA2'". Please observe that even though i have NOT
> updated SA2, connection in steps above. It seems that SA2 configuration has
> got deleted in step 6 above and hence it displays the error.
>
> Can you please confirm if the behavior is correct and if am doing any
> mistake in my configuration
>
> ipsec.conf
> _____________________
>
> config setup
> cachecrls=no
> charonstart=yes
> plutostart=no
> strictcrlpolicy=no
> uniqueids=no
>
> ca section1
> cacert=/tmp/RootCert070f33_7349bbdb.pem
> auto=add
>
> conn SA1
> ikelifetime=24h
> keyexchange=ikev2
> keyingtries=%forever
> keylife=90m
> reauth=no
> rekey=yes
> mobike=no
> dpddelay=0
> rekeymargin=4m
> ike=aes128-sha1-modp1024,3des-sha1-modp1024!
> esp=aes128-sha1-modp1024,3des-sha1-modp1024!
> authby=rsasig
> left=20.20.20.20
> leftsubnet=10.10.10.10/32
> right=20.20.20.21
> rightsubnet=10.10.10.12/32
> leftprotoport=udp/49156
> rightprotoport=udp/49156
> leftcert=/tmp/BTScert.pem
> rightid=%any
> auto=add
>
> conn SA2
> ikelifetime=24h
> keyexchange=ikev2
> keyingtries=%forever
> keylife=90m
> reauth=no
> rekey=yes
> mobike=no
> dpddelay=0
> rekeymargin=4m
> ike=aes128-sha1-modp1024,3des-sha1-modp1024!
> esp=aes128-sha1-modp1024,3des-sha1-modp1024!
> authby=rsasig
> left=20.20.20.20
> leftsubnet=10.10.10.10/32
> right=20.20.20.21
> rightsubnet=10.10.10.12/32
> leftprotoport=udp/65535
> rightprotoport=udp/65535
> leftcert=/tmp/BTScert.pem
> rightid=%any
> auto=add
>
> Thanks and Regards
> Sajal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100722/8057a3e1/attachment.html>
More information about the Users
mailing list