[strongSwan] A Possible Issue in "ipsec update" command

Sajal Malhotra sajalmalhotra at gmail.com
Fri Jul 30 09:35:21 CEST 2010


>
> HI Andreas/Martin/Tobias,
>
> Would be greatfull if any one of you could provide some help on this issue.
>
> BR
> Sajal
>
>  On Thu, Jul 15, 2010 at 4:11 PM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:
>
>> Hi All,
>>
>> I am facing an issue with the ikev2 stack.
>> Please refer to the ipsec.conf file below:
>>
>> Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs
>> using same Tunnel (IKE SA).
>> Problem is that when i change the configuration of connection SA1 and fire
>> "ipsec update" then both SA1 and SA2 configuration are deleted and
>> thereafter if i try to bring up the SA2, i see an error saying " no config
>> named 'SA2'"
>> I am performing following steps:
>> 1. bring up SA1 "ipsec up SA1"
>> 2. bring up SA2 "ipsec up SA2"
>> 3. close SA1
>> 4. close SA2
>> 5. Update the configuration of only SA1 (changed leftprotoport and
>> rightprotoport to 49154).
>> 6. now i fired "ipsec update" command.
>> 7. now try to bring up connection SA2. "ipsec up SA2"
>> 8. In logs attached observe that an error is displayed saying: "charon:
>> 09[CFG] no config named 'SA2'". Please observe that even though i have NOT
>> updated SA2, connection in steps above. It seems that SA2 configuration has
>> got deleted in step 6 above and hence it displays the error.
>>
>> Can you please confirm if the behavior is correct and if am doing any
>> mistake in my configuration
>>
>> ipsec.conf
>> _____________________
>>
>> config setup
>>  cachecrls=no
>>  charonstart=yes
>>  plutostart=no
>>  strictcrlpolicy=no
>>  uniqueids=no
>>
>> ca section1
>>  cacert=/tmp/RootCert070f33_7349bbdb.pem
>>  auto=add
>>
>> conn SA1
>>  ikelifetime=24h
>>  keyexchange=ikev2
>>  keyingtries=%forever
>>  keylife=90m
>>  reauth=no
>>  rekey=yes
>>  mobike=no
>>  dpddelay=0
>>  rekeymargin=4m
>>  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>>  esp=aes128-sha1-modp1024,3des-sha1-modp1024!
>>  authby=rsasig
>>  left=20.20.20.20
>>  leftsubnet=10.10.10.10/32
>>  right=20.20.20.21
>>  rightsubnet=10.10.10.12/32
>>  leftprotoport=udp/49156
>>  rightprotoport=udp/49156
>>  leftcert=/tmp/BTScert.pem
>>  rightid=%any
>>  auto=add
>>
>> conn SA2
>>  ikelifetime=24h
>>  keyexchange=ikev2
>>  keyingtries=%forever
>>  keylife=90m
>>  reauth=no
>>  rekey=yes
>>  mobike=no
>>  dpddelay=0
>>  rekeymargin=4m
>>  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>>  esp=aes128-sha1-modp1024,3des-sha1-modp1024!
>>  authby=rsasig
>>  left=20.20.20.20
>>  leftsubnet=10.10.10.10/32
>>  right=20.20.20.21
>>  rightsubnet=10.10.10.12/32
>>  leftprotoport=udp/65535
>>  rightprotoport=udp/65535
>>  leftcert=/tmp/BTScert.pem
>>  rightid=%any
>>  auto=add
>>
>> Thanks and Regards
>> Sajal
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100730/caf4b325/attachment.html>


More information about the Users mailing list