[strongSwan] Abrupt disappearance of SADs.

Guru Shetty gurushettylists at gmail.com
Sun Oct 7 10:25:41 CEST 2012


Just to add to the above question, does Strongswan get confused if all
Moon, Earth and Sun have the same "req_distinguished_name" in their
certificates?

Ex: Sun, Moon and Earth have: C=US, ST=CA, L=Palo Alto, O=Open
vSwitch, OU=Open vSwitch certifier, CN=Open vSwitch certificate for
ovsclient.

I do not seem to see the reported issue if I change the "O=" value and
keep it unique.

Thanks,
Guru

On 7 October 2012 00:22, Guru Shetty <gurushettylists at gmail.com> wrote:
> Hello All,
>  I am using Strongswan 4.6.4 and the issue is reproducible every time.
>
> I have a 3 node setup - Moon, Sun and Earth in a host-host setting.
> All 3 of them are in the same network.
>
> Moon has 2 connections. One is to Sun. The other is to Earth. (Earth
> and Sun are not connected to each other through IPSEC.)
>
> Moon--------------Earth
> |
> |----------------------Sun
>
> The initial state is that all connections are up and running. Now I do
> the following:
>
> 1) From Sun, do a "ipsec down ${connection_name}"
>   - As expected Moon and Sun loose the SADs that establish their
> relationship. "ipsec statusall" does not show the connection between
> them.
>   - As expected, Moon and Earth have the connection between them up and running.
>
> 2) From Sun, do a "ipsec up ${connection_name}"
>   - As expected, Moon and Sun re-establish their connections.
>   - BUT, the SADs in Moon that establishes the relationship to Earth
> disappears. Sometimes, Just one way SAD is seen in "Larval" state.
> "ipsec statusall" does not show any established IKE/ESP to Earth.
>   - On the Earth's side, if I do a "ipsec statusall" everything is
> established. The SAD entries are all present. Earth just does not know
> that the other side is down.
>
> 3) The way out is to do a "ipsec reload" in moon. But in a live
> environment, this is not a workable solution.
>
> My ipsec.conf for Moon (Please note that my installpolicy=no. ):
>
> config setup
>     nat_traversal=no
>     charonstart=yes
>     plutostart=no
>     #uniqueids=no
>
> conn %default
>         keyingtries=%forever
>         #dpdaction=restart
>         #closeaction=restart
>         type=transport
>         installpolicy=no
>         keyexchange=ikev2
>         auto=start
>         ike=aes-sha1-modp1024,aes-md5-modp1024
>         esp=aes-sha1-modp1024
>
> conn remote-192.168.0.2 #This is connection to Sun
>         reqid=1
>         left=192.168.0.1
>         leftcert=/etc/openvswitch/ovsclient-cert.pem
>         right=192.168.0.2
>         rightcert=/etc/ipsec.d/certs/ovs-192.168.0.2.pem
>
> conn remote-192.168.0.3 #This is connection to Earth.
>         reqid=2
>         left=192.168.0.1
>         leftcert=/etc/openvswitch/ovsclient-cert.pem
>         right=192.168.0.3
>         rightcert=/etc/ipsec.d/certs/ovs-192.168.0.3.pem
>
> Both Sun and Earth have the same ipsec.conf parameters (They have only
> one connection instead of 2. They both point to Moon).
>
> Do any of you see anything stupid here?
>
> Thanks,
> Guru




More information about the Users mailing list