Hi, I'm running strongswan as a server for roadwarriors using IPSEC-L2TP in transport mode (I'm aware of security implications). My problem is as follows: when the client rekeys (MS Windows XP and Vista clients), the L2TP connection fails.
I haven't done a full in-depth analysis, but I think the same issue arises that occurs with Openswan or racoon in this setup using NETKEY (see: https://gsoc.xelerance.com/issues/1177 ) It's supposedly related to the way SPD policies are updated upon rekey (as I've been told by openswan devs). I think this was addressed by the following post: https://lists.strongswan.org/pipermail/dev/2010-May/000200.html As far as I can tell, the proposed patch was never incorporated into strongswan (maybe it didn't fix the problem in the right way?). The log says the following during the roadwarrior initiated rekey (I'm testing by connecting from the same subnet): Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #3: responding to Quick Mode Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #3: discarding duplicate packet; already STATE_QUICK_R1 Oct 18 16:52:40 dev pluto[29418]: deleting policy 192.168.1.110/32[udp/l2f] === 192.168.1.103/32[udp/l2f] fwd failed, not found Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #3: IPsec SA established {ESP=>0x370fc7a2 <0xcd0643e8} Oct 18 16:52:40 dev pluto[29418]: "l2tp-x509-vista"[2] 192.168.1.110 #1: received Delete SA(0xdf403044) payload: deleting IPSEC State #2 If any additional information is needed, I'm happy to provide it. Regards, Frank _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
