Package: strongswan
Version: 4.2.4-5
Severity: normal
This is strange situation caused by unknown reason. I have configured simple
and symmetric site to site tunnel like this:
conn %default
ikelifetime = 15m
keylife = 5m
rekeymargin = 1m
keyingtries = 1
conn SUN-MOON
leftcert = sunCert.pem
left = 192.168.1.1
leftsubnet = 192.168.2.0/24
rightcert = moonCert.pem
right = 192.168.3.1
rightsubnet = 192.168.4.0/24
keyexchange = ikev2
auto = start
The similar configuration is on the other side. There are no problem when
connection initiating from one side of tunnel and VPN are working fine. But if
it is originated from other side, the following scenario are rolling up. At the
first time ipsec started, the tunnel is build and working as should. It is
successfully rekeying few times with keylife period. But when ikelifetime
expired, the tunnel destroyed and rebuild again repeatedly in the endless loop.
Analyzing the syslog I have found the only difference between two side in the
strange message:
charon: 08[IKE] reauthenticating IKE_SA due address change
If this means ip address then it is not true: no address changed. I have tried
to reproduce this situation on the virtual machines with most close network
configuration without success. Changing interfaces and firewall and default
route has no effect. Adding mobike = no to config cause this endless loop
immediately after ipsec starting up. I can't find the source of problem.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/bash
Versions of packages strongswan depends on:
ii bsdmainutils 6.1.10 collection of more utilities from
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii debianutils 2.30 Miscellaneous utilities specific t
ii host 20000331-9 utility for querying DNS servers
ii iproute 20080725-2 networking and traffic control too
ii ipsec-tools 1:0.7.1-1.2 IPsec tools for Linux
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libgmp3c2 2:4.2.2+dfsg-3 Multiprecision arithmetic library
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii openssl 0.9.8g-14 Secure Socket Layer (SSL) binary a
strongswan recommends no packages.
Versions of packages strongswan suggests:
ii curl 7.18.2-7 Get a file from an HTTP, HTTPS or
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
