[strongSwan] Abrupt disappearance of SADs.

Guru Shetty gurushettylists at gmail.com
Sun Oct 7 09:22:40 CEST 2012


Hello All,
 I am using Strongswan 4.6.4 and the issue is reproducible every time.

I have a 3 node setup - Moon, Sun and Earth in a host-host setting.
All 3 of them are in the same network.

Moon has 2 connections. One is to Sun. The other is to Earth. (Earth
and Sun are not connected to each other through IPSEC.)

Moon--------------Earth
|
|----------------------Sun

The initial state is that all connections are up and running. Now I do
the following:

1) From Sun, do a "ipsec down ${connection_name}"
  - As expected Moon and Sun loose the SADs that establish their
relationship. "ipsec statusall" does not show the connection between
them.
  - As expected, Moon and Earth have the connection between them up and running.

2) From Sun, do a "ipsec up ${connection_name}"
  - As expected, Moon and Sun re-establish their connections.
  - BUT, the SADs in Moon that establishes the relationship to Earth
disappears. Sometimes, Just one way SAD is seen in "Larval" state.
"ipsec statusall" does not show any established IKE/ESP to Earth.
  - On the Earth's side, if I do a "ipsec statusall" everything is
established. The SAD entries are all present. Earth just does not know
that the other side is down.

3) The way out is to do a "ipsec reload" in moon. But in a live
environment, this is not a workable solution.

My ipsec.conf for Moon (Please note that my installpolicy=no. ):

config setup
    nat_traversal=no
    charonstart=yes
    plutostart=no
    #uniqueids=no

conn %default
        keyingtries=%forever
        #dpdaction=restart
        #closeaction=restart
        type=transport
        installpolicy=no
        keyexchange=ikev2
        auto=start
        ike=aes-sha1-modp1024,aes-md5-modp1024
        esp=aes-sha1-modp1024

conn remote-192.168.0.2 #This is connection to Sun
        reqid=1
        left=192.168.0.1
        leftcert=/etc/openvswitch/ovsclient-cert.pem
        right=192.168.0.2
        rightcert=/etc/ipsec.d/certs/ovs-192.168.0.2.pem

conn remote-192.168.0.3 #This is connection to Earth.
        reqid=2
        left=192.168.0.1
        leftcert=/etc/openvswitch/ovsclient-cert.pem
        right=192.168.0.3
        rightcert=/etc/ipsec.d/certs/ovs-192.168.0.3.pem

Both Sun and Earth have the same ipsec.conf parameters (They have only
one connection instead of 2. They both point to Moon).

Do any of you see anything stupid here?

Thanks,
Guru




More information about the Users mailing list