Project

General

Profile

Actions

Bug #3769

closed

Only the first phase 2 entry is used when multiple entries are present for an IPsec tunnel in 2.2

Added by Matthew Smith over 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
IPsec
Target version:
Start date:
07/23/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

See the attached config.xml file. The ipsec phase 1 peers with ikeid's 2 and 3 are active. Each of them have 3 phase 2 associations configured. But strongswan isn't using all of them them. On the SPD tab of Status -> IPsec, only the first phase 2 entry shows up for each tunnel. And the output of '/usr/local/sbin/ipsec status' only lists the first entry (the one with the 169.254.x.y addresses) as well:

[2.2-ALPHA][]/root(8): ipsec status
Security Associations (2 up, 0 connecting):
con2-27: ESTABLISHED 53 seconds ago, 192.207.126.12[192.207.126.12]...54.240.217.160[54.240.217.160]
con2-2{2}: INSTALLED, TUNNEL, ESP SPIs: c709827d_i f0ae3dac_o
con2-2{2}: 169.254.255.72/30|/0 === 169.254.255.72/30|/0
con2-2{2}: INSTALLED, TUNNEL, ESP SPIs: cbaffa4f_i 09a5af6c_o
con2-2{2}: 169.254.255.72/30|/0 === 169.254.255.72/30|/0
con3-36: ESTABLISHED 2 minutes ago, 192.207.126.12[192.207.126.12]...54.240.217.166[54.240.217.166]
con3-3{3}: INSTALLED, TUNNEL, ESP SPIs: c7c616ba_i 5166be21_o
con3-3{3}: 169.254.255.76/30|/0 === 169.254.255.76/30|/0
con3-3{3}: INSTALLED, TUNNEL, ESP SPIs: c34deb9b_i 2033bb6b_o
con3-3{3}: 169.254.255.76/30|/0 === 169.254.255.76/30|/0

See the attached ipsec.conf file.

Each of the entries for a particular phase 1 peer (3 entries for each of them) is getting created with the same name/label in /var/etc/ipsec/ipsec.conf. E.g. conn2-2, conn3-3. When I manually changed this and restarted ipsec, things worked as expected. The attached patch works to get the entries generated with unique names.


Files

config-2_2-aws.xml (26.6 KB) config-2_2-aws.xml Matthew Smith, 07/23/2014 11:13 AM
ipsec.conf (3.14 KB) ipsec.conf Matthew Smith, 07/23/2014 11:13 AM
strongswan.patch (663 Bytes) strongswan.patch Matthew Smith, 07/23/2014 11:13 AM
Actions #1

Updated by Matthew Smith over 10 years ago

pushed the patch to master. Will test in next snapshot.

Actions #2

Updated by Matthew Smith over 10 years ago

The change included in the next snapshot worked fine.

Actions #3

Updated by Jim Thompson over 10 years ago

  • Assignee set to Matthew Smith
Actions #4

Updated by Ermal Luçi about 10 years ago

  • Status changed from New to Feedback

This has been resolved since at least 12 days or more.

Can yo uplease try again with latest snapshot?

Actions #5

Updated by Chris Buechler about 10 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF