[strongSwan] "sending keep alive" seems breaking VPN connection
Tobias Brunner
tobias at strongswan.org
Tue Jun 5 11:11:02 CEST 2018
Hi Gilles,
> Following your comment, it seems the issue comes first for "Hide.me"
> which is not answering correctly to the "CREATE_CHILD_SA"
> request.
No, the problem is that an acquire is generated in the first place. The
behavior by the peer is definitely not correct, but that's not the
actual problem (and fixing it wouldn't get you anything).
> - Does it mean that if they fix this issue, I will not lose anymore
> the connection on my side?
No, as I said, you have to fix your routing/iptables setup so the
correct source IP is used for traffic that's routed via VTI device.
> If it is not possible for them to change the behaviour of their VPN, you
> mentioned I may handle it on my side by fixing the route when the
> virtual IP is created. Can you provide more details?
Install routes with `src ${PLUTO_MY_SOURCEIP}` so that source IP is used
or NAT traffic to the virtual IP before it hits VTI device and the IPsec
policies.
Regards,
Tobias
More information about the Users
mailing list