[strongSwan] up-host not always executed

Vonlanthen, Elmar Elmar.Vonlanthen at united-security-providers.ch
Tue Nov 11 17:00:07 CET 2014 

Hello all

We use the old (pluto-) updown scripts to add or delete GRE tunnels inside VPN tunnels.

/etc/ipsec.conf looks like this:
conn chbet2_aa
	left=10.10.110.1
	leftupdown="sudo /opt/usp/vpn/bin/updown.sh"
	right=10.10.120.1
	ike=aes128-sha1-modp2048
	esp=aes128-sha1-modp2048
	ikelifetime=3h
	keylife=1h
	dpddelay=10
	dpdtimeout=300
	dpdaction=restart
	rekey=yes
	authby=secret
	type=transport
	keyexchange=ikev1
	auto=start

/opt/usp/vpn/bin/updown.sh:
...
up-host:)
	log_syslog "Starting gre tunnel chbet2_aa"
	ip tunnel add chbet2_aa mode any local 10.10.110.1 remote 10.10.120.1 ttl 225 tos inherit
	ip link set chbet2_aa up multicast on mtu 1356
	ip addr add 10.254.10.1 peer 10.254.10.2/32 dev chbet2_aa
	;;
down-host:)
	log_syslog "Stopping gre tunnel chbet2_aa"
	Ip link set chbet2_aa down
	Ip tunnel del chbet2_aa
	;;
...

With Strongswan v4 with don't have any problems. With Strongswan v5 (U5.2.1/K3.14.17-SMP) sometimes if a rekey happens (not sure, when exactly) the down-Script will be executed, but not the up-script.

2014-11-06 02:44:40 chbet1fw01 charon: 09[IKE] <chbet2_aa|79> closing CHILD_SA chbet2_aa{3} with SPIs c9e5d10b_i (0 bytes) c5c00be6_o (216656 bytes) and TS 10.10.110.1 === 10.10.120.1 
2014-11-06 02:44:40 chbet1fw01 updown.sh: Stopping gre tunnel chbet2_aa
2014-11-06 02:45:39 chbet1fw01 charon: 12[IKE] <chbet2_aa|79> CHILD_SA chbet2_aa{3} established with SPIs cf6022da_i cf5223e2_o and TS 10.10.110.1 === 10.10.120.1

But in most cases, the up-host commands will be executed!

I think it has something to do with the code here:

src/libcharon/sa/ikev2/tasks/child_create.c:
METHOD(task_t, build_r, status_t,
        private_child_create_t *this, message_t *message)
{
        ...
        if (!this->rekey)
        {       /* invoke the child_up() hook if we are not rekeying */
                charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
        }
        ...
}

 Or here:

src/libcharon/sa/ikev1/tasks/quick_mode.c:
static bool install(private_quick_mode_t *this)
{
        ...
        if (old)
        {
                charon->bus->child_rekey(charon->bus, old, this->child_sa);
        }
        else
        {
                charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
        }
        ....
}

We have played with the options "rekey" and "reauth", but it doesn't change anything.

Do you have any idea, what the problem might be?

Thank you very much for any help.

Best regards
Elmar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5383 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141111/e767750b/attachment.bin>

More information about the Users mailing list