Project

General

Profile

Bug #1556

Changing local IPsec tunnel endpoint does not work

Added by Seth Mos about 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
IPsec
Target version:
Start date:
05/26/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

When attempting to change over a tunnel from a OPT back to the WAN interface the tunnel never came up.

The other side said that "There was no phase1".

Looking at this side racoon complained that it was not known either. Eventhough the racoon.conf was correct, the SPD policies were correct, it was not ignoring the IPsec traffic for the new endpoint.

Piere Pommes mailed dev@ that this was a known issue with racoon 0.8.
https://trac.ipsec-tools.net/ticket/311

"1) During a reload, racoon binds to all interfaces (here: WAN, OVPN , localhost, and LAN)
My config only listens to WAN, and after a real stop/start (ie: not a reload), racoon is only bound to WAN."

This actively prevents switching to another WAN apparently. I was unable to make it work by restarting racoon only. I've found that a reboot clears it up and everything works again.

History

#1 Updated by Evgeny Yurchenko about 8 years ago

How to replicate?
I've tried switching between WAN and OPT1 and racoon always listens on respective interface. Reboot gives the same result.

#2 Updated by Seth Mos about 8 years ago

That is correct, racoon will listen on the correct interface, but ignore all communication for that phase 1.

The message in racoon is that there is no phase 1 found for the remote endpoint after it has been switched over.

#3 Updated by Evgeny Yurchenko about 8 years ago

Still struggling to replicate though tested with OPT1 and OPT2 (can't touch WAN). -(
1. Tunnel works via OPT1.
2. Change local end to OPT2. Tunnel is down.
3. Reconfigure remote end to connect to OPT2 address, as soon as there is interesting traffic the tunnel after brief "no phase 1" goes up.
4. Change local end to OPT1. Tunnel goes down.
5. Reconfigure remote end to connect to OPT1 address, as soon as there is interesting traffic the tunnel after brief "no phase 1" goes up.

#4 Updated by Jim Pingle almost 8 years ago

I switch one of my tunnels back and forth regularly between my two WANs and as long as I adjust the peer address on the other end, it always comes back up. If it weren't for the ticket I wouldn't have even known there was an issue.

#5 Updated by Chris Buechler almost 8 years ago

  • Status changed from New to Feedback

I'm also unable to replicate this.

#6 Updated by Seth Mos almost 8 years ago

  • Status changed from Feedback to Resolved

I can not replicate this anymore as I only have a single WAN left at work.

Also available in: Atom PDF