[strongSwan] tunnel failing if another interface present

Frédéric Lamorce FLamorce at CalAmp.com
Tue May 14 22:35:54 CEST 2013

I am using strongswan 4.6.4 on an embedded product running linux

I never really had a problem using IKEv1, IKEv2, pre shared key, certificates, etc. But now I face a problem with a customer...

He uses a simple configuration, IKEv1, DES, PSK, net-to-net, pretty standard config.

On our embedded product, the tunnel get up and works fine, ping works from net to net.

Problem is: on the embedded product, if we enable wifi, a new interface comes up, wlan0, set in either access point or client mode, no other changes.

In this case, the tunnel established fine, but after 20 seconds DPD detects something wrong, terminate the tunnel, restart it, etc, ad nauseam.

If I disable wifi and the wlan0 interface disappear, the tunnel after a DPD cycle, connects fine and works fine.

The wifi is an ath9k_htc plugged by USB, it uses compat-wireless, I tried different version, still problem.

I captured packets with tcpdump to analyze with wireshark.

When it works I notice at the end of the exchange (quick mode) that the device send a next_hash (8) of 390 bytes, then it receives 3 packets next_hash (8) of 390 bytes long, then the device send 3 next_hash (8) 94 bytes long packets.

When it does not work, I notice that the device only send 2 packets of 94 bytes length at the end.

I tried the same setup as the customer using an in-house ipsec server, and everything works fine, with or without a wlan0 interface present or not.

I then try from my desk with my unit to the customer server and it fails, so it has something to do with *both* the customer server *and* the wlan0 interface being there.

Any clue on what can happen?

More information about the Users mailing list