[strongSwan] MOBIKE and routing table 220

Anton warm at stack.ru
Tue May 1 08:47:22 CEST 2012 

Good day.

Seems that charon does not change table 220 correctly when default route is changed or does it correct not every time.
My scheme is:

rw-psk(virtual ip)====ipsec-gw---subnet1 and subnet2

rw-psk ipsec.conf:

conn wasp-psk
        left=%any
        leftsourceip=%cfg
        leftid=@warm
        leftauth=psk
        right=217.X.X.2
        rightid=@wasp
        rightsubnet=217.X.X.X/27,217.X.X.Y/32
        rightauth=psk
        mobike=yes
        forceencaps=yes
        keyexchange=ikev2
        dpddelay=10s
        dpdtimeout=15s
        keyingtries=%forever
        dpdaction=restart
        auto=start


ipsec-gw ipsec.conf:

conn warm-psk
        leftauth=psk
        leftid=@wasp
        leftsubnet=217.X.X.X/27,217.X.X.Y/32
        right=%any
        rightid=@warm
        rightsourceip=192.168.34.1
        rightauth=psk
        forceencaps=yes
        mobike=yes
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=10s
        dpdtimeout=10s
        auto=add

After "ipsec start" routing table 220 contains:

[root at warm etc]# ip r sh table 220
217.X.X.X/27 via 192.168.2.1 dev eth0  proto static  src 192.168.34.1 
217.X.X.Y via 192.168.2.1 dev eth0  proto static  src 192.168.34.1 

192.168.2.1 is my home router. Next I'm trying to reproduce fail of my adsl connection and I'm manually switching to
3g (in future it will be done automatically). I have ppp0 which is 3g MTS connection:

[root at warm etc]# ip a sh dev ppp0
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet 10.97.43.4 peer 10.0.0.1/32 scope global ppp0

[root at warm etc]# ip r f c ; ip r replace default dev ppp0 ; ip r f c
[root at warm etc]# ip r sh table 220
217.X.X.Y via 217.X.X.2 dev ppp0  proto static  src 192.168.34.1 
[root at warm etc]#

So the first net 217.X.X.X/27 is disappeared. I did this several times and only once I got correct table 220 when
replaced default gateway - there were two my subnets. Log entries when replacing default gateway look like this:

May  1 13:10:25 localhost charon: 08[IKE] checking path 10.97.43.4[4500] - 10.0.0.1[4500]
May  1 13:10:25 localhost charon: 08[NET] sending packet: from 10.97.43.4[4500] to 10.0.0.1[4500]
May  1 13:10:25 localhost charon: 11[NET] received packet: from 217.X.X.2[4500] to 192.168.2.2[4500]
May  1 13:10:25 localhost charon: 11[ENC] parsed INFORMATIONAL response 22 [ ]
May  1 13:10:25 localhost charon: 11[KNL] received netlink error: No such process (3)
May  1 13:10:25 localhost charon: 11[KNL] error uninstalling route installed with policy 217.X.X.X/27 === 192.168.34
.1/32 fwd
May  1 13:10:25 localhost charon: 11[KNL] received netlink error: No such process (3)
May  1 13:10:25 localhost charon: 11[KNL] unable to install source route for 192.168.34.1
May  1 13:10:25 localhost charon: 11[KNL] received netlink error: No such process (3)
May  1 13:10:25 localhost charon: 11[KNL] error uninstalling route installed with policy 217.X.X.Y/32 === 192.168.34
.1/32 fwd
May  1 13:10:25 localhost charon: 11[KNL] received netlink error: No such process (3)
May  1 13:10:25 localhost charon: 11[KNL] unable to install source route for 192.168.34.1
May  1 13:10:25 localhost charon: 11[ENC] generating INFORMATIONAL request 23 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP)
 N(COOKIE2) ]

If I add missing route to table 220 all works.

Any ideas ?

May be I should use only one leftsubnet ? Seems works but it is not a complete solution for me, I need several subnets
on left side.


-- 
Anton [WARM-RIPE]
Stack ltd division head
tel. 8 (3822) 555-797

More information about the Users mailing list