[strongSwan] client network change drops VPN

Tobias Brunner tobias at strongswan.org
Mon Jul 8 11:48:36 CEST 2013

Hi Jay,

> However, once the VPN is established, if the client changes from one 
> network to the other, the VPN connection does not survive.  Below is the 
> server log which shows a couple of "issues"
> 1 -- "UDP_ENCAP: Invalid argument" I'm not sure if that is relevant

This happens when charon tries to enable UDP decapsulation for IPv6.

> 2 -- "[KNL] unable to update SAD entry with SPI c48960bf: address changes 
> are not supported" This sounds like an issue but it seems like with MOBIKE 
> supported, address changes should be allowed.  The Android client's log 
> contains the statemen:
> "[IKE] requesting address change using MOBIKE"

As discussed on the FreeBSD forum [1] resolving this issue properly
would require patching the FreeBSD kernel.

But the gateway should actually try to rekey the CHILD_SA to work around
the above limitation.


[1] http://forums.freebsd.org/showthread.php?p=225854

More information about the Users mailing list