[strongSwan] 'reauthenticating IKE_SA due to address change' logs observed in Road Warrior configuration setup
Kaur, Sumit (Nokia - IN/Bangalore)
sumit.kaur at nokia.com
Tue Sep 29 07:31:29 CEST 2015
Hi,
Any inputs for below query?
Thanks
Sumit
From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of EXT Kaur, Sumit (Nokia - IN/Bangalore)
Sent: Thursday, September 24, 2015 5:41 PM
To: users at lists.strongswan.org
Subject: [strongSwan] 'reauthenticating IKE_SA due to address change' logs observed in Road Warrior configuration setup
Hi,
In strongswan version 4.3.6, for below client (2 clients) and server configuration :
ipsec status on clients
On doing 'ipsec down r1~v1' , below logs are seen at clients side :
Sep 24 15:05:34.986953 info FZBU-0 charon: 10[KNL] getting address to reach (vr1)90.0.0.1
Sep 24 15:05:34.987122 info FZBU-0 charon: 10[KNL] getting address to reach 23.0.0.1
Sep 24 15:05:34.987324 info FZBU-0 charon: 10[IKE] reauthenticating IKE_SA due to address change
And then r2~v2 (2nd client) gets reauthenticated.
When , "ip route list vrf 1 "clearly shows route to reach 90.0.0.1 via 33.0.0.1, why is address change considered and reauthentication triggered. It looks like, charon refers the 'ip route list (default vrf) list' for route lookup.
Is this a known issue?
[root at FZBU-0(BCNBlr94) /root]
# ip r l
90.0.0.1 via 23.0.0.1 dev v11 proto gated
23.0.0.0/24 dev v11 proto kernel scope link src 23.0.0.2
169.254.64.0/20 dev xaui0 proto kernel scope link src 169.254.64.5
169.254.0.0/19 dev internal proto kernel scope link src 169.254.0.6
[root at FZBU-0(BCNBlr94) /root]
# ip r l v 1
90.0.0.1 via 33.0.0.1 dev v12 vrfid 1 proto gated
33.0.0.0/24 dev v12 vrfid 1 proto kernel scope link src 33.0.0.2
Thanks
Sumit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150929/ca6e5679/attachment.html>
More information about the Users
mailing list