[strongSwan] regarding "reauthenticating IKE_SA due to address change"
Tobias Brunner
tobias at strongswan.org
Tue Aug 2 12:02:44 CEST 2011
Hi Ujial,
> Interface eth1 ipaddress is given as : 10.29.11.66 /16 and the viratual
> ip address 10.29.11.67/16 <http://10.29.11.67/16> . The tunnels as follows
>
> 1) 10.29.11.66<---------------------------------->10.29.11.36
> 2) 10.29.11.67<---------------------------------->10.29.11.36
This looks like you have setup two IKE_SAs. One from each IP address.
When charon does perform a route lookup this will cause the observed
problem for the second SA as its source IP will not match the address
returned from the lookup.
Now, why don't you setup just one IKE_SA and two CHILD_SAs on top of
that? Something like:
conn %default
right=10.29.11.36
... other shared options
conn child-one
leftsubnet=10.29.11.66/32
auto=add
conn child-two
leftsubnet=10.29.11.67/32
auto=add
The config on the other peer (10.29.11.36) has to match these (e.g.
rightsubnet=10.29.11.64/29 or with two separate configs as above).
Regards,
Tobias
More information about the Users
mailing list