Project

General

Profile

Actions

Bug #3961

closed

only first of multiple P2s works in 2.2

Added by Chris Buechler about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Ermal Luçi
Category:
IPsec
Target version:
Start date:
10/25/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

Where you have multiple P2s on 2.2, only the first does anything. It negotiates successfully, but the strongswan/2.2 side never uses the second P2's SAD. Confirmed on:

2.2-BETA (amd64) 
built on Sat Oct 25 21:39:21 CDT 2014 

so should be unchanged after Ermal's most recent changes.

Actions #1

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Confirmed
  • Assignee set to Ermal Luçi
Actions #2

Updated by Ermal Luçi about 10 years ago

  • Status changed from Confirmed to Feedback

It works for me for mobile clients which this issue is about!
The unity plugin sends split-include sections now.

Actions #3

Updated by Chris Buechler about 10 years ago

this is for site to site VPNs with > 1 P2. One easy way to replicate, setup a site to site IPsec between 2.1.5 and 2.2 with two P2s. Bring them both up. They'll come up fine. Try to send traffic across both. You'll see only the first has any bytes transferred, under Status>IPsec, SAD. The strongswan side will never send traffic across the second P2. This will break a wide variety of site to site setups.

Actions #4

Updated by Ermal Luçi about 10 years ago

I have done testing on this.

It works even today as is.
List of issues i am after:
- Racoon does not like agressive mode negotiation for this due to NAT-D exchange message, even though it correctly processes that for main mode.(Racoon bug)
- When strongswan triggers the connection racoon does not send reply back without any clear reason(so far) and strongswan expires the connection request.

The same happens if you use two different connections in strongswan configuration or use the one generated today.

So its mostly inter-operability rather than not working at all.

Actions #5

Updated by Chris Buechler about 10 years ago

  • Status changed from Feedback to Resolved

the issue described here is resolved. The two Ermal noted we'll discuss

Actions

Also available in: Atom PDF