[strongSwan] client network change drops VPN
Tobias Brunner
tobias at strongswan.org
Mon Jul 8 11:48:36 CEST 2013
Hi Jay,
> However, once the VPN is established, if the client changes from one
> network to the other, the VPN connection does not survive. Below is the
> server log which shows a couple of "issues"
>
> 1 -- "UDP_ENCAP: Invalid argument" I'm not sure if that is relevant
This happens when charon tries to enable UDP decapsulation for IPv6.
> 2 -- "[KNL] unable to update SAD entry with SPI c48960bf: address changes
> are not supported" This sounds like an issue but it seems like with MOBIKE
> supported, address changes should be allowed. The Android client's log
> contains the statemen:
>
> "[IKE] requesting address change using MOBIKE"
As discussed on the FreeBSD forum [1] resolving this issue properly
would require patching the FreeBSD kernel.
But the gateway should actually try to rekey the CHILD_SA to work around
the above limitation.
Regards,
Tobias
[1] http://forums.freebsd.org/showthread.php?p=225854
More information about the Users
mailing list