[strongSwan] updown - server which disconnects one roadworrior when another connects

lejeczek peljasz at yahoo.co.uk
Mon Sep 28 11:35:29 CEST 2020



On 28/09/2020 10:05, Noel Kuntze wrote:
> Hi,
>
> up-client is called for each combination of remote ts and local ts components, as is down-client, when a CHILD_sa is established/destroyed.
> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are negotiated/destroyed.
>
> Kind regards
>
> Noel
>
> Am 28.09.20 um 10:58 schrieb lejeczek:
>> Hi guys.
>>
>> I have a strongswan with 'updown' which controls tunnels,
>> routes, etc. I took the script from doc examples and built
>> upon it.
>> What is perplexing totally to me is, that the scripts shows
>> that when one roadwarrior is connected and another one is
>> connecting then the server invokes 'down-client' which then
>> removes - as the updown dictates - tunnel of already
>> connected roadwarrior.
>> Here is a snippet of the log from 'updown' script, a moment
>> when new roadwarrior connects:
>> ...
>> ----RUN
>> vti113 - down-client
>> Mon Sep 28 09:47:20 BST 2020
>> ip tunnel del vti113
>> ip route del 10.3.1.12/32 dev vti113
>>
>> ----RUN
>> vti114 - up-client
>> Mon Sep 28 09:47:21 BST 2020
>> ip tunnel add vti114 local X.X.X.X remote Z.Z.Z.Z mode vti
>> key 11
>> ip link set vti114 mtu 1400 up
>> ...
>>
>> 'updown' script has nothing to do with that, right?
>> Why would server do that 'down-client'?
>>
>> many thanks, L.
>>
Thanks man for explaining that.
Is that behavior controllable somehow, configured somewhere
- would you know?
Or it's the user/admin which must take care of this
'issue/phenomena' via the 'updown' script and the script alone?

many thanks, L.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200928/5b1d356b/attachment.key>


More information about the Users mailing list