[strongSwan] New virtual IP at reauthentication with make_before_break kills initiators routing table
Ettrich, Mike, NMU-DSJ
Mike.Ettrich at bertelsmann.de
Mon Aug 13 13:19:37 CEST 2018
we are facing the following problem:
We are using a Strongswan-Client (Initiator, details below) to open up a Tunnel with reauthentication enabled and make_before_break=yes.
After opening up a tunnel initially, we see local (clients) ip routes as follows (as expected):
ip route list table 220
10.0.0.0/8 via 126.96.36.199 dev eth0 proto static src 10.23.7.205
188.8.131.52/15 via 184.108.40.206 dev eth0 proto static src 10.23.7.205
During reauthentication with make_before_break:
As long as we receive the same virtual IP everything is fine, the ip routes are kept and traffic still can flow through this tunnel.
But once we receive a different virtual IP from the responder, the ipsec still says "tunnel is active", but the old ip routes get deleted and no new ones are set up.
So, ip route table 220 is empty and hence no traffic will flow through this still active tunnel.
Please note, once we disable make_before_break (which is not an option for us), everything runs smooth, even with new virtual IPs during reauthentication.
Any idea ?
Thanks for your help !
Linux gtegklvk04067 4.4.114-94.14-default #1 SMP Mon Feb 19 14:46:07 UTC 2018 (14c5f0f) x86_64 x86_64 x86_64 GNU/Linux
Strongswan Clients Version:
Linux strongSwan U5.5.3-20180605_3/K4.4.114-94.14-default
# basic configuration
charondebug="cfg 2, dmn 2, ike 2, net 9, job -1"
make_before_break = yes
hash_and_url = no
load_modular = yes
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users