[strongSwan] client rekey fails with openl2tp in transport mode
Frank
frank at debian-nas.org
Tue Oct 18 17:17:06 CEST 2011
Hi,
I'm running strongswan as a server for roadwarriors using IPSEC-L2TP in transport mode (I'm aware of security implications). My problem is as follows: when the client rekeys (MS Windows XP and Vista clients), the L2TP connection fails.
I haven't done a full in-depth analysis, but I think the same issue arises that occurs with Openswan or racoon in this setup using NETKEY (see: https://gsoc.xelerance.com/issues/1177 )
It's supposedly related to the way SPD policies are updated upon rekey (as I've been told by openswan devs). I think this was addressed by the following post:
https://lists.strongswan.org/pipermail/dev/2010-May/000200.html
As far as I can tell, the proposed patch was never incorporated into strongswan (maybe it didn't fix the problem in the right way?).
The log says the following during the roadwarrior initiated rekey (I'm testing by connecting from the same subnet):
Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #3: responding to Quick Mode
Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #3: discarding duplicate packet; already STATE_QUICK_R1
Oct 18 16:52:40 dev pluto[29418]: deleting policy 192.168.1.110/32[udp/l2f] === 192.168.1.103/32[udp/l2f] fwd failed, not found
Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #3: IPsec SA established {ESP=>0x370fc7a2 <0xcd0643e8}
Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #1: received Delete SA(0xdf403044) payload: deleting IPSEC State #2
If any additional information is needed, I'm happy to provide it.
Regards,
Frank
More information about the Users
mailing list