[strongSwan] 'reauthenticating IKE_SA due to address change' logs observed in Road Warrior configuration setup

Kaur, Sumit (Nokia - IN/Bangalore) sumit.kaur at nokia.com
Thu Sep 24 14:10:34 CEST 2015 

Hi,

In strongswan version 4.3.6, for below client (2 clients) and server configuration :



ipsec status on clients

On doing 'ipsec down r1~v1' , below logs are seen at clients side :

Sep 24 15:05:34.986953 info FZBU-0 charon: 10[KNL] getting address to reach (vr1)90.0.0.1
Sep 24 15:05:34.987122 info FZBU-0 charon: 10[KNL] getting address to reach 23.0.0.1
Sep 24 15:05:34.987324 info FZBU-0 charon: 10[IKE] reauthenticating IKE_SA due to address change

And then r2~v2 (2nd client)  gets reauthenticated.

When , "ip route list vrf 1 "clearly shows route to reach 90.0.0.1 via 33.0.0.1, why is address change considered and reauthentication triggered. It looks like, charon refers the 'ip route list (default vrf) list' for route lookup.
Is this a known issue?



[root at FZBU-0(BCNBlr94) /root]
# ip r l
90.0.0.1 via 23.0.0.1 dev v11  proto gated
23.0.0.0/24 dev v11  proto kernel  scope link  src 23.0.0.2
169.254.64.0/20 dev xaui0  proto kernel  scope link  src 169.254.64.5
169.254.0.0/19 dev internal  proto kernel  scope link  src 169.254.0.6

[root at FZBU-0(BCNBlr94) /root]
# ip r l  v 1
90.0.0.1 via 33.0.0.1 dev v12 vrfid 1  proto gated
33.0.0.0/24 dev v12 vrfid 1  proto kernel  scope link  src 33.0.0.2


Thanks
Sumit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150924/e7c682fc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: serverconf.zip
Type: application/x-zip-compressed
Size: 1110 bytes
Desc: serverconf.zip
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150924/e7c682fc/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clientconf.zip
Type: application/x-zip-compressed
Size: 1139 bytes
Desc: clientconf.zip
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150924/e7c682fc/attachment-0001.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsecstatus_client.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150924/e7c682fc/attachment.txt>

More information about the Users mailing list