Dear all I'm using strongswan-5.7.2 on a Linux Debian 9 to support GRE-over-IPSEC tunnels in a hub-and-spoke topology. The start_action is configured as 'trap' , with the traffic selector "dynamic[gre]" (see the attached spoke swanctl.conf)
When the spoke wan interface address is changed, the GRE "trap" policy in the kernel is not updated. Before modifying the 'rt2p2' interface, which connects the machine to the WAN: root@stretch:/ivoctl/vagrant# ip x p l src *192.168.2.2/32 <http://192.168.2.2/32>* dst 1.1.1.254/32 proto gre dir out priority 366976 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 1 mode transport src 1.1.1.254/32 dst 192.168.2.2/32 proto gre dir in priority 366976 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 1 mode transport root@stretch:/ivoctl/vagrant# ip a l dev rt2p2 11: rt2p2@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 76:c0:22:e8:c2:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet *192.168.2.2/24 <http://192.168.2.2/24>* scope global rt2p2 valid_lft forever preferred_lft forever inet6 fe80::74c0:22ff:fee8:c242/64 scope link valid_lft forever preferred_lft forever After modifying the 'rt2p2' interface: root@stretch:/ivoctl/vagrant# ip x p l src *192.168.2.2/32 <http://192.168.2.2/32> *dst 1.1.1.254/32 proto gre dir out priority 366976 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 1 mode transport src 1.1.1.254/32 dst 192.168.2.2/32 proto gre dir in priority 366976 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 1 mode transport root@stretch:/ivoctl/vagrant# ip a l dev rt2p2 11: rt2p2@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 76:c0:22:e8:c2:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet *192.168.2.18/24 <http://192.168.2.18/24>* scope global rt2p2 valid_lft forever preferred_lft forever inet6 fe80::74c0:22ff:fee8:c242/64 scope link valid_lft forever preferred_lft forever The fun part is that if the tunnel was already up, the "active" kernel policy is correctly updated, but not the "trap" policy: after modifying the 'rt2p2' interface with an active tunnel, I see 2 policies (and the traffic is correctly forwarded in the tunnel) : root@stretch:/ivoctl/vagrant# ip x p l src *192.168.2.18/32 <http://192.168.2.18/32>* dst 1.1.1.254/32 proto gre dir out priority 366975 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp *spi 0xc5da1439* reqid 1 mode transport src 1.1.1.254/32 dst 192.168.2.18/32 proto gre dir in priority 366975 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 1 mode transport src 1.1.1.254/32 dst 192.168.2.2/32 proto gre dir in priority 366976 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 1 mode transport src *192.168.2.2/32 <http://192.168.2.2/32>* dst 1.1.1.254/32 proto gre dir out priority 366976 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 1 mode transport So I actually discovered the issue on a real case when the tunnel went down due to Internet connectivity issues. Here's the relevant charon log (the connection's name is "lan2_dc") when the address is changed: Mar 11 16:44:44 06[KNL] <lan2_dc|1> querying policy 192.168.2.2/32[gre] === 1.1.1.254/32[gre] out Mar 11 16:44:48 06[KNL] <lan2_dc|1> no address found to reach 1.1.1.254/32 Mar 11 16:44:48 06[IKE] <lan2_dc|1> old path is not available anymore, try to find another Mar 11 16:44:48 06[IKE] <lan2_dc|1> looking for a route to 1.1.1.254 ... Mar 11 16:44:48 06[KNL] <lan2_dc|1> using 192.168.2.18 as address to reach 1.1.1.254/32 Mar 11 16:44:48 06[IKE] <lan2_dc|1> reauthenticating IKE_SA due to address change Mar 11 16:44:48 06[KNL] <lan2_dc|1> using 192.168.2.18 as address to reach 1.1.1.254/32 Mar 11 16:44:48 06[IKE] <lan2_dc|1> reauthenticating IKE_SA lan2_dc[1] Mar 11 16:44:48 06[IKE] <lan2_dc|1> queueing IKE_REAUTH task Mar 11 16:44:48 06[IKE] <lan2_dc|1> activating new tasks Mar 11 16:44:48 06[IKE] <lan2_dc|1> activating IKE_REAUTH task Mar 11 16:44:48 06[IKE] <lan2_dc|1> deleting IKE_SA lan2_dc[1] between 192.168.2.18[lan2]...1.1.1.254[dc] Mar 11 16:44:48 06[IKE] <lan2_dc|1> IKE_SA lan2_dc[1] state change: ESTABLISHED => DELETING Mar 11 16:44:48 06[IKE] <lan2_dc|1> sending DELETE for IKE_SA lan2_dc[1] Mar 11 16:44:48 06[NET] <lan2_dc|1> sending packet: from 192.168.2.18[500] to 1.1.1.254[500] (65 bytes) Mar 11 16:44:48 12[NET] <lan2_dc|1> received packet: from 1.1.1.254[500] to 192.168.2.18[500] (57 bytes) Mar 11 16:44:48 12[IKE] <lan2_dc|1> IKE_SA deleted Mar 11 16:44:48 12[IKE] <lan2_dc|1> restarting CHILD_SA lan2_dc Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_VENDOR task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_INIT task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_NATD task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_CERT_PRE task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_AUTH task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_CERT_POST task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_CONFIG task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_AUTH_LIFETIME task Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing CHILD_CREATE task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating new tasks Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_VENDOR task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_INIT task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_NATD task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_CERT_PRE task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_AUTH task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_CERT_POST task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_CONFIG task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating CHILD_CREATE task Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating IKE_AUTH_LIFETIME task Mar 11 16:44:48 12[IKE] <lan2_dc|1> initiating IKE_SA lan2_dc[2] to 1.1.1.254 Mar 11 16:44:48 12[IKE] <lan2_dc|1> IKE_SA lan2_dc[2] state change: CREATED => CONNECTING Mar 11 16:44:48 12[CFG] <lan2_dc|1> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Mar 11 16:44:48 12[CFG] <lan2_dc|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity Mar 11 16:44:48 12[NET] <lan2_dc|1> sending packet: from 192.168.2.18[500] to 1.1.1.254[500] (296 bytes) Mar 11 16:44:48 12[IKE] <lan2_dc|1> IKE_SA lan2_dc[1] state change: DELETING => DESTROYING Mar 11 16:44:48 12[CHD] <lan2_dc|1> CHILD_SA lan2_dc{2} state change: INSTALLED => DESTROYING Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting policy 192.168.2.2/32[gre] === 1.1.1.254/32[gre] out Mar 11 16:44:48 12[KNL] <lan2_dc|1> policy still used by another CHILD_SA, not removed Mar 11 16:44:48 12[KNL] <lan2_dc|1> updating policy 192.168.2.2/32[gre] === 1.1.1.254/32[gre] out [priority 366976, refcount 1] Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting policy 1.1.1.254/32[gre] === 192.168.2.2/32[gre] in Mar 11 16:44:48 12[KNL] <lan2_dc|1> policy still used by another CHILD_SA, not removed Mar 11 16:44:48 12[KNL] <lan2_dc|1> updating policy 1.1.1.254/32[gre] === 192.168.2.2/32[gre] in [priority 366976, refcount 1] Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting SAD entry with SPI cb35fa6f Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleted SAD entry with SPI cb35fa6f Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting SAD entry with SPI c53758a8 Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleted SAD entry with SPI c53758a8 Mar 11 16:44:48 02[NET] <lan2_dc|2> received packet: from 1.1.1.254[500] to 192.168.2.18[500] (296 bytes) Mar 11 16:44:48 02[IKE] <lan2_dc|2> received FRAGMENTATION_SUPPORTED notify Mar 11 16:44:48 02[IKE] <lan2_dc|2> received SIGNATURE_HASH_ALGORITHMS notify Mar 11 16:44:48 02[CFG] <lan2_dc|2> selecting proposal: Mar 11 16:44:48 02[CFG] <lan2_dc|2> proposal matches Mar 11 16:44:48 02[CFG] <lan2_dc|2> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Mar 11 16:44:48 02[CFG] <lan2_dc|2> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Mar 11 16:44:48 02[CFG] <lan2_dc|2> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Mar 11 16:44:48 02[CFG] <lan2_dc|2> received supported signature hash algorithms: sha256 sha384 sha512 identity Mar 11 16:44:48 02[IKE] <lan2_dc|2> local host is behind NAT, sending keep alives Mar 11 16:44:48 02[IKE] <lan2_dc|2> remote host is behind NAT Mar 11 16:44:48 02[IKE] <lan2_dc|2> reinitiating already active tasks Mar 11 16:44:48 02[IKE] <lan2_dc|2> IKE_CERT_PRE task Mar 11 16:44:48 02[IKE] <lan2_dc|2> IKE_AUTH task Mar 11 16:44:48 02[IKE] <lan2_dc|2> authentication of 'lan2' (myself) with pre-shared key Mar 11 16:44:48 02[IKE] <lan2_dc|2> successfully created shared key MAC Mar 11 16:44:48 02[CFG] <lan2_dc|2> proposing traffic selectors for us: Mar 11 16:44:48 02[CFG] <lan2_dc|2> 192.168.2.18/32[gre] Mar 11 16:44:48 02[CFG] <lan2_dc|2> proposing traffic selectors for other: Mar 11 16:44:48 02[CFG] <lan2_dc|2> 1.1.1.254/32[gre] Mar 11 16:44:48 02[CFG] <lan2_dc|2> configured proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ Mar 11 16:44:48 02[IKE] <lan2_dc|2> establishing CHILD_SA lan2_dc{3} reqid 1 Mar 11 16:44:48 02[KNL] <lan2_dc|2> got SPI ccf55d90 Mar 11 16:44:48 02[NET] <lan2_dc|2> sending packet: from 192.168.2.18[4500] to 1.1.1.254[4500] (259 bytes) Mar 11 16:44:48 09[NET] <lan2_dc|2> received packet: from 1.1.1.254[4500] to 192.168.2.18[4500] (215 bytes) Mar 11 16:44:48 09[IKE] <lan2_dc|2> received USE_TRANSPORT_MODE notify Mar 11 16:44:48 09[IKE] <lan2_dc|2> authentication of 'dc' with pre-shared key successful Mar 11 16:44:48 09[IKE] <lan2_dc|2> IKE_SA lan2_dc[2] established between 192.168.2.18[lan2]...1.1 Mar 11 16:44:48 09[IKE] <lan2_dc|2> IKE_SA lan2_dc[2] state change: CONNECTING => ESTABLISHED Mar 11 16:44:48 09[IKE] <lan2_dc|2> scheduling rekeying in 3384s Mar 11 16:44:48 09[IKE] <lan2_dc|2> maximum IKE_SA lifetime 3744s Mar 11 16:44:48 09[CFG] <lan2_dc|2> selecting proposal: Mar 11 16:44:48 09[CFG] <lan2_dc|2> proposal matches Mar 11 16:44:48 09[CFG] <lan2_dc|2> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ Mar 11 16:44:48 09[CFG] <lan2_dc|2> configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ Mar 11 16:44:48 09[CFG] <lan2_dc|2> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ Mar 11 16:44:48 09[CFG] <lan2_dc|2> selecting traffic selectors for us: Mar 11 16:44:48 09[CFG] <lan2_dc|2> config: 192.168.2.18/32[gre], received: 192.168.2.18/32[gre] => match: 192.168.2.18/32[gre] Mar 11 16:44:48 09[CFG] <lan2_dc|2> selecting traffic selectors for other: Mar 11 16:44:48 09[CFG] <lan2_dc|2> config: 1.1.1.254/32[gre], received: 1.1.1.254/32[gre] => match: 1.1.1.254/32[gre] Mar 11 16:44:48 09[CHD] <lan2_dc|2> CHILD_SA lan2_dc{3} state change: CREATED => INSTALLING Mar 11 16:44:48 09[CHD] <lan2_dc|2> using AES_GCM_16 for encryption Mar 11 16:44:48 09[CHD] <lan2_dc|2> adding inbound ESP SA Mar 11 16:44:48 09[CHD] <lan2_dc|2> SPI 0xccf55d90, src 1.1.1.254 dst 192.168.2.18 Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding SAD entry with SPI ccf55d90 and reqid {1} Mar 11 16:44:48 09[KNL] <lan2_dc|2> using encryption algorithm AES_GCM_16 with key size 288 Mar 11 16:44:48 09[KNL] <lan2_dc|2> using replay window of 128 packets Mar 11 16:44:48 09[KNL] <lan2_dc|2> HW offload: auto Mar 11 16:44:48 09[KNL] <lan2_dc|2> 192.168.2.18 is on interface rt2p2 Mar 11 16:44:48 09[KNL] <lan2_dc|2> HW offload is not supported by kernel Mar 11 16:44:48 09[CHD] <lan2_dc|2> adding outbound ESP SA Mar 11 16:44:48 09[CHD] <lan2_dc|2> SPI 0xc5da1439, src 192.168.2.18 dst 1.1.1.254 Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding SAD entry with SPI c5da1439 and reqid {1} Mar 11 16:44:48 09[KNL] <lan2_dc|2> using encryption algorithm AES_GCM_16 with key size 288 Mar 11 16:44:48 09[KNL] <lan2_dc|2> using replay window of 0 packets Mar 11 16:44:48 09[KNL] <lan2_dc|2> HW offload: auto Mar 11 16:44:48 09[KNL] <lan2_dc|2> 192.168.2.18 is on interface rt2p2 Mar 11 16:44:48 09[KNL] <lan2_dc|2> HW offload is not supported by kernel Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding policy 1.1.1.254/32[gre] === 192.168.2.18/32[gre] in [priority 366975, refcount 1] Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding policy 192.168.2.18/32[gre] === 1.1.1.254/32[gre] out [priority 366975, refcount 1] Mar 11 16:44:48 09[IKE] <lan2_dc|2> CHILD_SA lan2_dc{3} established with SPIs ccf55d90_i c5da1439_o and TS 192.168.2.18/32[gre] === 1.1.1.254/32[gre] Mar 11 16:44:48 09[CHD] <lan2_dc|2> CHILD_SA lan2_dc{3} state change: INSTALLING => INSTALLED Mar 11 16:44:48 09[IKE] <lan2_dc|2> activating new tasks Mar 11 16:44:48 09[IKE] <lan2_dc|2> nothing to initiate Let me know if further information is needed. Is there any workaround or is it a known issue? Best regards, F.Griffoul
swanctl.conf
Description: Binary data