[strongSwan] Restarting ipsec on the left requires restart on the right

Andreas Ntaflos daff at pseudoterminal.org
Tue Feb 14 23:56:51 CET 2012


Hi,

I observed this on a pretty vanilla tunnel setup between two servers,
using Ubuntu 10.04/StrongSwan 4.3.2 on the left and Ubuntu
11.10/StrongSwan 4.5.2 on the right, with IKEv1.

Issuing an "ipsec restart" on the left end of the tunnel seems to kill
the connection and it won't come back until I issue an "ipsec restart"
on the right end as well. Maybe noteworthy: the right server
continuously pings a host in the subnet behind the left tunnel. After
restarting ipsec on the right the connection works again.

This is obviously not practical. It seems the right server is not aware
that the connection has been interrupted. How do I make it aware?

It may also be noteworthy that restarting the *right* server does not
result in the same problem. In this case the connection is interrupted
only for the time it takes "ipsec restart" on the right to complete. Is
this behaviour because of the different StrongSwan versions used?

Here is what "ipsec status" says on the left after the restart:

"left-right":
10.0.0.0/16===10.0.7.47[@left]---10.0.7.1...aa.bb.cc.dd[@right]===192.168.0.0/24;
unrouted; eroute owner: #0
"left-right":   newest ISAKMP SA: #0; newest IPsec SA: #0;

#1: "rz02-daff" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 37s
#1: pending Phase 2 for "left-right" replacing #0

Here is what "ipsec status" says on the right after the restart:

#3: "right-left" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 2577s
#3: "right-left" esp.ce0a8fe7 at xx.yy.zz.aa (420 bytes)
esp.c1425857 at 192.168.0.20 (420 bytes); tunnel
#2: "right-left" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 27777s
#4: "right-left" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2100s; newest IPSEC; eroute owner
#4: "right-left" esp.1efae42f at xx.yy.zz.aa (53256 bytes, 0s ago)
esp.c6a68d8a at 192.168.0.20 (8820 bytes, 533s ago); tunnel
#1: "right-left" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 27059s; newest ISAKMP

Here is the connection definition on the left (looks identical on the
right, except for left/rightid, left/rightsubnet and remote IPSec gateway):

conn left-right
    type            = tunnel
    left            = %defaultroute
    leftid          = @left
    leftsubnet      = 10.0.0.0/16
    rightid         = @right
    rightsubnet     = 192.168.0.0/24
    right           = aa.bb.cc.dd
    auth            = esp
    pfs             = yes
    pfsgroup        = modp1024
    compress        = no
    esp             = aes128-sha1!
    ike             = aes128-sha1-modp1024!
    ikelifetime     = 28800s
    keylife         = 3600s
    keyingtries     = %forever
    keyexchange     = ikev1
    authby          = psk
    auto            = start

Any ideas? Any more info I can provide?

Thanks,

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120214/7052f21e/attachment.pgp>


More information about the Users mailing list