Bug #1556
closed
Changing local IPsec tunnel endpoint does not work
0%
Description
When attempting to change over a tunnel from a OPT back to the WAN interface the tunnel never came up.
The other side said that "There was no phase1".
Looking at this side racoon complained that it was not known either. Eventhough the racoon.conf was correct, the SPD policies were correct, it was not ignoring the IPsec traffic for the new endpoint.
Piere Pommes mailed dev@ that this was a known issue with racoon 0.8.
https://trac.ipsec-tools.net/ticket/311
"1) During a reload, racoon binds to all interfaces (here: WAN, OVPN , localhost, and LAN)
My config only listens to WAN, and after a real stop/start (ie: not a reload), racoon is only bound to WAN."
This actively prevents switching to another WAN apparently. I was unable to make it work by restarting racoon only. I've found that a reboot clears it up and everything works again.
Updated by Evgeny Yurchenko almost 13 years ago
How to replicate?
I've tried switching between WAN and OPT1 and racoon always listens on respective interface. Reboot gives the same result.
Updated by Seth Mos almost 13 years ago
That is correct, racoon will listen on the correct interface, but ignore all communication for that phase 1.
The message in racoon is that there is no phase 1 found for the remote endpoint after it has been switched over.
Updated by Evgeny Yurchenko almost 13 years ago
Still struggling to replicate though tested with OPT1 and OPT2 (can't touch WAN). -(
1. Tunnel works via OPT1.
2. Change local end to OPT2. Tunnel is down.
3. Reconfigure remote end to connect to OPT2 address, as soon as there is interesting traffic the tunnel after brief "no phase 1" goes up.
4. Change local end to OPT1. Tunnel goes down.
5. Reconfigure remote end to connect to OPT1 address, as soon as there is interesting traffic the tunnel after brief "no phase 1" goes up.
Updated by Jim Pingle over 12 years ago
I switch one of my tunnels back and forth regularly between my two WANs and as long as I adjust the peer address on the other end, it always comes back up. If it weren't for the ticket I wouldn't have even known there was an issue.
Updated by Chris Buechler over 12 years ago
- Status changed from New to Feedback
I'm also unable to replicate this.
Updated by Seth Mos over 12 years ago
- Status changed from Feedback to Resolved
I can not replicate this anymore as I only have a single WAN left at work.