Project

General

Profile

Actions

Bug #4254

closed

Dynamic interface removal/addition breaks IKEv2

Added by Chris Buechler about 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Ermal Luçi
Category:
IPsec
Target version:
Start date:
01/20/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

Where you have a dynamic interface removed and re-added while running IKEv2 in strongswan, things break. Good easily replicable example is an OpenVPN server instance bound to the same WAN as IPsec. Restart OpenVPN, and strongswan will kick out:

 15[IKE] old path is not available anymore, try to find another
 15[IKE] sending address list update using MOBIKE

at which time it tries connecting to every IP sent via MOBIKE, and gets itself into a mess (VPN no longer works) until you X out the connection under Status>IPsec.

Actions #1

Updated by Chris Buechler about 9 years ago

sent Ermal details on how to replicate in the test setup.

Actions #2

Updated by Ermal Luçi about 9 years ago

  • Status changed from Confirmed to Feedback

I put a workaround to not use the interfaces not present in config.

Though the real workaround here is to install static routes so strongswan can use them when searching for nexthop.

Let me know if for 2.2 this is enough.

Actions #3

Updated by Ermal Luçi about 9 years ago

Static routes are put back in the configuration.

Actions #4

Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

that fixes the initial described problem. Also re-verified multi-WAN bits after static routes returned, including disconnect/reconnect of dynamic WANs, and that's all good as well.

Actions

Also available in: Atom PDF