[strongSwan] MOBIKE

Tobias Brunner tobias at strongswan.org
Fri Jul 29 15:58:50 CEST 2011


Hi Patricia,

 > I've tested strongswan-4.5.3rc2 and I still get the same behaviour.
 > I'm testing MOBIKE by sending CBR traffic from the initiator at a
 > rate of 45Kbps.
 >
> When I deactivate eth0 I obtain the behavior that you can see on one.png.
>
> Then, I activate eth0 again and deactivate eth1 and I obtain the
> behaviour showed in two.png (nothing strange).

Ah, the problem here is not exactly what I described previously and not 
quite what the patch fixes.  The problem in this situation is that the 
original IPsec SA covers packets between 163.117.141.82 and 
163.117.141.81.  Now, when 163.117.141.82 goes down, there is simply no 
IPsec SA yet which covers eth1's 163.117.14.33.  MOBIKE has first to 
determine this as a valid path and then update the SA appropriately. 
The submitted patch basically fixes this last update step.  So how do 
you fix it?  Well, you have to make sure that 'left' (the IP address 
that might change) is not part of the local traffic selector.  To do so 
I'd recommend you assign your client a virtual IP address.

Regards,
Tobias





More information about the Users mailing list