[strongSwan] ipsec update issue

yordanos beyene yordanosb at gmail.com
Tue Feb 12 06:29:15 CET 2013 

Hi SS team,

When I make changes to the traffic selector of an IPsec connection that
uses "auto=route",  "ipsec update" fails to update IPsec policies in the
kernel. The only way I can get around this is issue is by using "ipsec
unroute", followed by "ipsec update".

I am using strongswan 5.0.1. Is this a bug? Any fix?

ipsec.conf:
*conn site2site*
        keyexchange=ikev1
        left=172.16.20.2
        right=172.16.20.3
      *  leftsubnet=172.16.40.0/24
        rightsubnet=172.16.50.0/24*
        leftid=172.16.20.2
        rightid=172.16.20.3
        type=tunnel
        ike=aes128-sha1-modp1536!
        esp=aes128-sha1!
        ikelifetime=86400s
        keylife=3600s
        leftauth=secret
        rightauth=secret
        auto=route

ipsec status
Connections:
   site2site:  172.16.20.2...172.16.20.3  IKEv1
   site2site:   local:  [172.16.20.2] uses pre-shared key authentication
   site2site:   remote: [172.16.20.3] uses pre-shared key authentication
   *site2site:   child:  172.16.40.0/24 === 172.16.50.0/24 TUNNEL*
Routed Connections:
   site2site{1}:  ROUTED, TUNNEL
   *site2site{1}:   172.16.40.0/24 === 172.16.50.0/24*
Security Associations (0 up, 0 connecting):
  none

left/rightsubnet updated:

conn site2site
        keyexchange=ikev1
        left=172.16.20.2
        right=172.16.20.3
        *leftsubnet=172.16.70.0/24
        rightsubnet=172.16.80.0/24*
        leftid=172.16.20.2
        rightid=172.16.20.3
        type=tunnel
        ike=aes128-sha1-modp1536!
        esp=aes128-sha1!
        ikelifetime=86400s
        keylife=3600s
        leftauth=secret
        rightauth=secret
        auto=route

ipsec update followed by ipsec stausall
.....
Connections:
   site2site:  172.16.20.2...172.16.20.3  IKEv1
   site2site:   local:  [172.16.20.2] uses pre-shared key authentication
   site2site:   remote: [172.16.20.3] uses pre-shared key authentication
*   site2site:   child:  172.16.70.0/24 === 172.16.80.0/24 TUNNEL*
Routed Connections:
   site2site{1}:  ROUTED, TUNNEL
*   site2site{1}:   172.16.40.0/24 === 172.16.50.0/24*
Security Associations (0 up, 0 connecting):

Thanks!

Jordan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130211/9e989d97/attachment.html>

More information about the Users mailing list