[strongSwan] Restarting ipsec on the left requires restart on the right

Tue, 14 Feb 2012 15:03:01 -0800 

Hi,

I observed this on a pretty vanilla tunnel setup between two servers,
using Ubuntu 10.04/StrongSwan 4.3.2 on the left and Ubuntu
11.10/StrongSwan 4.5.2 on the right, with IKEv1.

Issuing an "ipsec restart" on the left end of the tunnel seems to kill
the connection and it won't come back until I issue an "ipsec restart"
on the right end as well. Maybe noteworthy: the right server
continuously pings a host in the subnet behind the left tunnel. After
restarting ipsec on the right the connection works again.

This is obviously not practical. It seems the right server is not aware
that the connection has been interrupted. How do I make it aware?

It may also be noteworthy that restarting the *right* server does not
result in the same problem. In this case the connection is interrupted
only for the time it takes "ipsec restart" on the right to complete. Is
this behaviour because of the different StrongSwan versions used?

Here is what "ipsec status" says on the left after the restart:

"left-right":
10.0.0.0/16===10.0.7.47[@left]---10.0.7.1...aa.bb.cc.dd[@right]===192.168.0.0/24;
unrouted; eroute owner: #0
"left-right":   newest ISAKMP SA: #0; newest IPsec SA: #0;

#1: "rz02-daff" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 37s
#1: pending Phase 2 for "left-right" replacing #0

Here is what "ipsec status" says on the right after the restart:

#3: "right-left" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 2577s
#3: "right-left" esp.ce0a8...@xx.yy.zz.aa (420 bytes)
esp.c1425857@192.168.0.20 (420 bytes); tunnel
#2: "right-left" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 27777s
#4: "right-left" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2100s; newest IPSEC; eroute owner
#4: "right-left" esp.1efae...@xx.yy.zz.aa (53256 bytes, 0s ago)
esp.c6a68d8a@192.168.0.20 (8820 bytes, 533s ago); tunnel
#1: "right-left" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 27059s; newest ISAKMP

Here is the connection definition on the left (looks identical on the
right, except for left/rightid, left/rightsubnet and remote IPSec gateway):

conn left-right
    type            = tunnel
    left            = %defaultroute
    leftid          = @left
    leftsubnet      = 10.0.0.0/16
    rightid         = @right
    rightsubnet     = 192.168.0.0/24
    right           = aa.bb.cc.dd
    auth            = esp
    pfs             = yes
    pfsgroup        = modp1024
    compress        = no
    esp             = aes128-sha1!
    ike             = aes128-sha1-modp1024!
    ikelifetime     = 28800s
    keylife         = 3600s
    keyingtries     = %forever
    keyexchange     = ikev1
    authby          = psk
    auto            = start

Any ideas? Any more info I can provide?

Thanks,

Andreas

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to