Bug #3961
closed
only first of multiple P2s works in 2.2
Added by Chris Buechler about 10 years ago.
Updated about 10 years ago.
Description
Where you have multiple P2s on 2.2, only the first does anything. It negotiates successfully, but the strongswan/2.2 side never uses the second P2's SAD. Confirmed on:
2.2-BETA (amd64)
built on Sat Oct 25 21:39:21 CDT 2014
so should be unchanged after Ermal's most recent changes.
- Status changed from New to Confirmed
- Assignee set to Ermal Luçi
- Status changed from Confirmed to Feedback
It works for me for mobile clients which this issue is about!
The unity plugin sends split-include sections now.
this is for site to site VPNs with > 1 P2. One easy way to replicate, setup a site to site IPsec between 2.1.5 and 2.2 with two P2s. Bring them both up. They'll come up fine. Try to send traffic across both. You'll see only the first has any bytes transferred, under Status>IPsec, SAD. The strongswan side will never send traffic across the second P2. This will break a wide variety of site to site setups.
I have done testing on this.
It works even today as is.
List of issues i am after:
- Racoon does not like agressive mode negotiation for this due to NAT-D exchange message, even though it correctly processes that for main mode.(Racoon bug)
- When strongswan triggers the connection racoon does not send reply back without any clear reason(so far) and strongswan expires the connection request.
The same happens if you use two different connections in strongswan configuration or use the one generated today.
So its mostly inter-operability rather than not working at all.
- Status changed from Feedback to Resolved
the issue described here is resolved. The two Ermal noted we'll discuss
Also available in: Atom
PDF
Updated by 
Updated by Ermal Luçi