[strongSwan] MOBIKE switching bug in gateway with two external interfaces

Simon Chan simon.chan3 at yahoo.ca
Thu Mar 8 19:12:19 CET 2012

Dear list:

Our customer running StrongSwan 4.6.1 want to setup two external interfaces in their VPN gateway, one for cellular and one for wi-fi. 

They reported that the road warriors can only switch once. Subsequent attempts to switch back to the initially connected interface won't work.

We find that the IP addr initially used to setup the tunnel is not stored in the "Mobike additional addresses list". It is accessible from the Security Association. However, after a Mobike switch, the SA is updated with the new IP address, and the initial IP addr is lost. 

To verify this theory, we made the following change in ike_mobike.c:
if (first)
{  /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
first = FALSE;

// Added code to seed the IP address in SA in the additional_address list
host = this->ike_sa->get_other_host(this->ike_sa);
host = host->clone(host);
this->ike_sa->add_additional_address(this->ike_sa, host);
After applying this change to a road warrior, it can switch back and forth between the 2 interfaces.

1. Is there reason why the peer IP address in the Security Association not stored in the additional_address list?
2. Can anyone see potential problems with the code change above? 
Not sure if there may be situations when ike_sa->get_other_host() may not return the correct gateway address.
The change tested OK in our lab though.
3. Another possibility is to change the gateway side to include "me" in the Mobike additional addresses.
It is easier to upgrade one host than upgrading a fleet of 800 trucks. Similar to Question 1, is there
reason that "me" must be excluded from the Mobike additional addresses?

Thanks in advance for help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120308/afcaabff/attachment.html>

More information about the Users mailing list