[strongSwan] New virtual IP at reauthentication with make_before_break kills initiators routing table

Ettrich, Mike, NMU-DSJ Mike.Ettrich at bertelsmann.de
Mon Aug 13 13:19:37 CEST 2018 

Hi,
we are facing the following problem:

We are using a Strongswan-Client (Initiator, details below) to open up a Tunnel with reauthentication enabled and make_before_break=yes.

After opening up a tunnel initially, we see local (clients) ip routes as follows (as expected):
ip route list table 220
10.0.0.0/8 via 146.185.113.17 dev eth0  proto static  src 10.23.7.205
188.144.0.0/15 via 146.185.113.17 dev eth0  proto static  src 10.23.7.205

During reauthentication with make_before_break:
As long as we receive the same virtual IP everything is fine, the ip routes are kept and traffic still can flow through this tunnel.

But once we receive a different virtual IP from the responder, the ipsec still says "tunnel is active", but the old ip routes get deleted and no new ones are set up.
So, ip route table 220 is empty and hence no traffic will flow through this still active tunnel.

Please note, once we disable make_before_break (which is not an option for us), everything runs smooth, even with new virtual IPs during reauthentication.


Any idea ?
Thanks for your help !


BR, Alex.




Clients OS:
Linux gtegklvk04067 4.4.114-94.14-default #1 SMP Mon Feb 19 14:46:07 UTC 2018 (14c5f0f) x86_64 x86_64 x86_64 GNU/Linux

Strongswan Clients Version:
Linux strongSwan U5.5.3-20180605_3/K4.4.114-94.14-default

ipsec.conf
# basic configuration

config setup
   charondebug="cfg 2, dmn 2, ike 2, net 9, job -1"

conn %default
   keyexchange=ikev2
   ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
   esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
   dpdaction=clear
   dpddelay=300s
   rightid=%any
   leftcert=my.C_NK_VPN.pem
   leftsourceip=%config
   forceencaps=yes

conn RU1_TI_1
   right=146.185.113.4
   rightsubnet=10.0.0.0/8,188.144.0.0/15
   lifetime=5m
   ikelifetime=2m
   margintime=1m
   rekeyfuzz=0%
   auto=add

strongswan.conf
charon {
        make_before_break = yes
        hash_and_url = no
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}
include strongswan.d/*.conf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180813/96c3e2a7/attachment.html>

More information about the Users mailing list