[strongSwan] farp question about arp TTL

Harald Dunkel harald.dunkel at aixigo.com
Thu Jul 25 15:30:24 CEST 2019

Hi folks,

imagine a road warrior scenario (all peers running Strongswan 5.7.2).

A warrior's laptop is usually connected via ethernet cable to the
company network, but he might prefer an IPsec connection over Wlan
instead, e.g. for the conference room or for home office. Using dhcp
and farp plugins each laptop gets the same address as for the ethernet
connection. Its the same dhcp server.

Problem is: If a warrior pulls the cable, waits for NetworkManager
to recognize and connects via Wlan plus IPsec, then some servers in
the network become unreachable.

Looking closely on such a remote host it seems that there are incoming
packages from the new mac address, but the reply goes to the old
mac address. Of course the old mac address is still in the arp cache.

The weird part is that there is no such problem on moving in the
opposite direction (from Wlan + IPsec to the ethernet connection). All
servers are available immediately after the change. The arp cache
is fixed with the very first incoming package. Obviously there is
some way to clean up the arp cache in place. ???

Is this something that could be improved in Strongswan?


More information about the Users mailing list