Dear list:
Our customer running StrongSwan 4.6.1 want to setup two external interfaces in
their VPN gateway, one for cellular and one for wi-fi.
They reported that the road warriors can only switch once. Subsequent attempts
to switch back to the initially connected interface won't work.
We find that the IP addr initially used to setup the tunnel is not stored in
the "Mobike additional addresses list". It is accessible from the Security
Association. However, after a Mobike switch, the SA is updated with the new IP
address, and the initial IP addr is lost.
To verify this theory, we made the following change in ike_mobike.c:
------------------------------------------------------------
if (first)
{ /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
this->ike_sa->remove_additional_addresses(this->ike_sa);
first = FALSE;
// Added code to seed the IP address in SA in the additional_address list
host = this->ike_sa->get_other_host(this->ike_sa);
host = host->clone(host);
this->ike_sa->add_additional_address(this->ike_sa, host);
}
------------------------------------------------------------
After applying this change to a road warrior, it can switch back and forth
between the 2 interfaces.
Questions:
1. Is there reason why the peer IP address in the Security Association not
stored in the additional_address list?
2. Can anyone see potential problems with the code change above?
Not sure if there may be situations when ike_sa->get_other_host() may not
return the correct gateway address.
The change tested OK in our lab though.
3. Another possibility is to change the gateway side to include "me" in the
Mobike additional addresses.
It is easier to upgrade one host than upgrading a fleet of 800 trucks. Similar
to Question 1, is there
reason that "me" must be excluded from the Mobike additional addresses?
Thanks in advance for help.
Simon
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
