Hi all.
we recently stumbled across a problem where routes for established child
SAs "suddenly" disappeared. As it turned out, this was due to the
outgoing interface for that connection being set "down", which then
caused the kernel to delete all routes over that interface, including
the routes associated with that IPSec connection.
We use policy routing and "blackhole" routes to (among other things) -
prevent unencrypted traffic to go out unencrypted, so the observable
result then was, that no traffic could be transmitted between the endpoints.
I guess, in simpler setups, this issue would be hidden by the existence
of a "default" route.
Now, when the interface was brought up again (before any DPD timeout can
happen and with no address change on the interface), nothing made the
routes re-appear.
DPD does not help here since - from the perspective of the IKE
connection - everything appeared to be OK.
In our case, when such an interface down-up happens on the initiator
side of the connection, we can work around this since we have some
external observer that notices the routes disappearance and then
re-initiates the connection.
On the responder side though (with roadwarior-style setups), said
observer has not enough information to re-install routes on its own.
Any idea how to deal with that situation ?
TIA
andi
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
