[strongSwan] procedure on network interface changes to ensure least disruption to ipsec tunnels currently established

[Tobias Brunner]

Hi Sanjay,

> I have a situation wherein a floating ipAddress is assigned and removed
> on the network interface (ifconfig up/down) during the runtime when
> various tunnels are established on my machine.
> 
> I observe that ipsec daemon does not establish the tunnels on any
> ipAddress provisioned after ipsec was started, sort of seems unaware of it.
> 
> If I restart ipsec then works out fine. Since the majority of tunnels
> are not affected by this interface change I would like to preserve the
> currently established tunnel and somehow have the ipsec daemon be aware
> of the update to the nw interface. I understand adding a new IPAddres on
> the network interface has some fundamental effects on the daemon as it
> has to listen for IKE messages on that ip.
> 
> Looking for suggestion to this scenario.

The IKEv2 daemon listens for changes to interfaces, IP adresses and
routes.  With the MOBIKE protocol (enabled by default) it is also
possible to automatically update established tunnels to use a new
address, if required.  Increasing the loglevel of the knl log group to
at least 2 (see [1]) should show you the kernel events that are observed
by the daemon.  The log should also show you what the daemon does when
it notices any such changes.

Regards,
Tobias

[1] http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration