Project

General

Profile

Actions

Bug #15685

closed

Mobile IPsec does not automatically switch to failover gateway

Added by Danilo Zrenjanin 4 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
2.7.2
Affected Architecture:

Description

After failing over to a backup WAN interface, the clients were unable to connect using the backup WAN's IP address. Upon inspection of the swanctl.conf file, it was discovered that the local_addrs parameter still contained the IP address of the Primary WAN.

After failing over to the backup WAN interface, the following logs document the clients' attempted connections.

Aug 15 15:42:14    charon    39479    14[NET] <23> received packet: from 172.21.10.11[500] to 172.21.10.103[500] (370 bytes)
Aug 15 15:42:14    charon    39479    14[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Aug 15 15:42:14    charon    39479    14[CFG] <23> looking for an IKEv2 config for 172.21.10.103...172.21.10.11
Aug 15 15:42:14    charon    39479    14[IKE] <23> no IKE config found for 172.21.10.103...172.21.10.11, sending NO_PROPOSAL_CHOSEN
Aug 15 15:42:14    charon    39479    14[ENC] <23> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 15 15:42:14    charon    39479    14[NET] <23> sending packet: from 172.21.10.103[500] to 172.21.10.11[500] (36 bytes)
Aug 15 15:42:14    charon    39479    14[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => DESTROYING

After restarting the IPsec service under VPN/IPsec/Tunnels, the issue was resolved. Following the service restart, the swanctl.conf file contained the correct local_addrs entry.

The config file used for testing is attached.


Files

swanctl.conf (1.43 KB) swanctl.conf Danilo Zrenjanin, 08/15/2024 04:02 PM

Related issues

Related to Bug #15930: Mobile IPsec clients can't connect after gateway failoverIncomplete

Actions
Actions #2

Updated by Marcos M about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Marcos M about 2 months ago

  • Subject changed from Mobile IPsec Multi WAN failover issue to Mobile IPsec does not automatically switch to failover gateway
  • Assignee set to Marcos M
  • Priority changed from High to Normal
  • Target version set to 2.8.0
  • Plus Target Version set to 24.11
  • Affected Version set to 2.7.2
Actions #4

Updated by Danilo Zrenjanin about 2 months ago

  • Status changed from Feedback to Resolved

Tested against the latest dev release.

The issue is fixed.

I am closing this ticket as resolved.

Actions #5

Updated by Danilo Zrenjanin 8 days ago

  • Related to Bug #15930: Mobile IPsec clients can't connect after gateway failover added
Actions

Also available in: Atom PDF