[strongSwan] Abrupt disappearance of SADs.
Andreas Steffen
andreas.steffen at strongswan.org
Sun Oct 7 10:35:04 CEST 2012
Yes, the identities of the peer must be unique, at least with the
default setting "uniqueids=yes". If you want stability and robustness
we strongly recommend to generate certificates with a unique subject DN
for each of your peers.
Regards
Andreas
On 10/07/2012 10:25 AM, Guru Shetty wrote:
> Just to add to the above question, does Strongswan get confused if all
> Moon, Earth and Sun have the same "req_distinguished_name" in their
> certificates?
>
> Ex: Sun, Moon and Earth have: C=US, ST=CA, L=Palo Alto, O=Open
> vSwitch, OU=Open vSwitch certifier, CN=Open vSwitch certificate for
> ovsclient.
>
> I do not seem to see the reported issue if I change the "O=" value and
> keep it unique.
>
> Thanks,
> Guru
>
> On 7 October 2012 00:22, Guru Shetty <gurushettylists at gmail.com> wrote:
>> Hello All,
>> I am using Strongswan 4.6.4 and the issue is reproducible every time.
>>
>> I have a 3 node setup - Moon, Sun and Earth in a host-host setting.
>> All 3 of them are in the same network.
>>
>> Moon has 2 connections. One is to Sun. The other is to Earth. (Earth
>> and Sun are not connected to each other through IPSEC.)
>>
>> Moon--------------Earth
>> |
>> |----------------------Sun
>>
>> The initial state is that all connections are up and running. Now I do
>> the following:
>>
>> 1) From Sun, do a "ipsec down ${connection_name}"
>> - As expected Moon and Sun loose the SADs that establish their
>> relationship. "ipsec statusall" does not show the connection between
>> them.
>> - As expected, Moon and Earth have the connection between them up and running.
>>
>> 2) From Sun, do a "ipsec up ${connection_name}"
>> - As expected, Moon and Sun re-establish their connections.
>> - BUT, the SADs in Moon that establishes the relationship to Earth
>> disappears. Sometimes, Just one way SAD is seen in "Larval" state.
>> "ipsec statusall" does not show any established IKE/ESP to Earth.
>> - On the Earth's side, if I do a "ipsec statusall" everything is
>> established. The SAD entries are all present. Earth just does not know
>> that the other side is down.
>>
>> 3) The way out is to do a "ipsec reload" in moon. But in a live
>> environment, this is not a workable solution.
>>
>> My ipsec.conf for Moon (Please note that my installpolicy=no. ):
>>
>> config setup
>> nat_traversal=no
>> charonstart=yes
>> plutostart=no
>> #uniqueids=no
>>
>> conn %default
>> keyingtries=%forever
>> #dpdaction=restart
>> #closeaction=restart
>> type=transport
>> installpolicy=no
>> keyexchange=ikev2
>> auto=start
>> ike=aes-sha1-modp1024,aes-md5-modp1024
>> esp=aes-sha1-modp1024
>>
>> conn remote-192.168.0.2 #This is connection to Sun
>> reqid=1
>> left=192.168.0.1
>> leftcert=/etc/openvswitch/ovsclient-cert.pem
>> right=192.168.0.2
>> rightcert=/etc/ipsec.d/certs/ovs-192.168.0.2.pem
>>
>> conn remote-192.168.0.3 #This is connection to Earth.
>> reqid=2
>> left=192.168.0.1
>> leftcert=/etc/openvswitch/ovsclient-cert.pem
>> right=192.168.0.3
>> rightcert=/etc/ipsec.d/certs/ovs-192.168.0.3.pem
>>
>> Both Sun and Earth have the same ipsec.conf parameters (They have only
>> one connection instead of 2. They both point to Moon).
>>
>> Do any of you see anything stupid here?
>>
>> Thanks,
>> Guru
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list