Bug #4425
closedIPSEC /Strongswan Fails to Detect IP address Change
0%
Description
Whats we saw was that 2.2 had no issue bringing up the tunnel but once the tunnels were up they were unstable and if there is a disconnect they don't get reestablished irrespedgive of whether DPD was on or off. For example, if you establish a tunnel between two pfsense appliances both running 2.2 and connected through their interfaces and can see that they data is going through. If you then do to the interfaces section and disconnect your WAN, wait 2-3 minutes until the Dashboard applets now show that all tunnels are down, now reconnect your WAN and confirm. Wait again until the WAN comes up you will see that the tunnels stay down and never come up even if your wan ip never changed.
Its almost like when the interfaces get updated, either due disconnect or reconnect or due to a dynamic IP refresh, pfsense does not seem to refresh 'charon/strongwan' to tell it that interface status changed and it should try to re-establish the tunnels. In the logs all you see are DPD messages or that the WAN interface does not exist even though in reality the interface does exist and is up and running. It simply gives the WAN IP address and keeps saying interface not found.
https://forum.pfsense.org/index.php?topic=87636.msg489955#msg489955
Here is the LOG file. As I previously have mentioned ... when my IP address changes from a disconnect/reconnect situation, for some reason that information is not passed onto Charon. As you can see from the logs, charon is till passing the old IP address to the remote site and we get the "error writing to socket: Can't assign requested address"
For the Devs:
From what I can tell there is some sort of a race condition that is being created. It was described on Stringswan forums too:
https://wiki.strongswan.org/issues/543
https://wiki.strongswan.org/issues/193
SAM
Updated by Sam Bernard almost 10 years ago
Just wondering if this could be related to Bug 4353.