[strongSwan] 'reauthenticating IKE_SA due to address change' logs observed in Road Warrior configuration setup

Kaur, Sumit (Nokia - IN/Bangalore) sumit.kaur at nokia.com
Tue Sep 29 07:31:29 CEST 2015


Hi,

Any inputs for below query?

Thanks
Sumit

From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of EXT Kaur, Sumit (Nokia - IN/Bangalore)
Sent: Thursday, September 24, 2015 5:41 PM
To: users at lists.strongswan.org
Subject: [strongSwan] 'reauthenticating IKE_SA due to address change' logs observed in Road Warrior configuration setup

Hi,

In strongswan version 4.3.6, for below client (2 clients) and server configuration :


ipsec status on clients
On doing 'ipsec down r1~v1' , below logs are seen at clients side :

Sep 24 15:05:34.986953 info FZBU-0 charon: 10[KNL] getting address to reach (vr1)90.0.0.1
Sep 24 15:05:34.987122 info FZBU-0 charon: 10[KNL] getting address to reach 23.0.0.1
Sep 24 15:05:34.987324 info FZBU-0 charon: 10[IKE] reauthenticating IKE_SA due to address change

And then r2~v2 (2nd client)  gets reauthenticated.

When , "ip route list vrf 1 "clearly shows route to reach 90.0.0.1 via 33.0.0.1, why is address change considered and reauthentication triggered. It looks like, charon refers the 'ip route list (default vrf) list' for route lookup.
Is this a known issue?



[root at FZBU-0(BCNBlr94) /root]
# ip r l
90.0.0.1 via 23.0.0.1 dev v11  proto gated
23.0.0.0/24 dev v11  proto kernel  scope link  src 23.0.0.2
169.254.64.0/20 dev xaui0  proto kernel  scope link  src 169.254.64.5
169.254.0.0/19 dev internal  proto kernel  scope link  src 169.254.0.6

[root at FZBU-0(BCNBlr94) /root]
# ip r l  v 1
90.0.0.1 via 33.0.0.1 dev v12 vrfid 1  proto gated
33.0.0.0/24 dev v12 vrfid 1  proto kernel  scope link  src 33.0.0.2


Thanks
Sumit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150929/ca6e5679/attachment.html>


More information about the Users mailing list