[strongSwan-dev] up-host not always executed

Wed, 12 Nov 2014 00:37:51 -0800 

Hello all

We use the old (pluto-) updown scripts to add or delete GRE tunnels inside VPN 
tunnels.

/etc/ipsec.conf looks like this:
conn chbet2_aa
        left=10.10.110.1
        leftupdown="sudo /opt/usp/vpn/bin/updown.sh"
        right=10.10.120.1
        ike=aes128-sha1-modp2048
        esp=aes128-sha1-modp2048
        ikelifetime=3h
        keylife=1h
        dpddelay=10
        dpdtimeout=300
        dpdaction=restart
        rekey=yes
        authby=secret
        type=transport
        keyexchange=ikev1
        auto=start

/opt/usp/vpn/bin/updown.sh:
...
up-host:)
        log_syslog "Starting gre tunnel chbet2_aa"
        ip tunnel add chbet2_aa mode any local 10.10.110.1 remote 10.10.120.1 
ttl 225 tos inherit
        ip link set chbet2_aa up multicast on mtu 1356
        ip addr add 10.254.10.1 peer 10.254.10.2/32 dev chbet2_aa
        ;;
down-host:)
        log_syslog "Stopping gre tunnel chbet2_aa"
        Ip link set chbet2_aa down
        Ip tunnel del chbet2_aa
        ;;
...

With Strongswan v4 with don't have any problems. With Strongswan v5 
(U5.2.1/K3.14.17-SMP) sometimes if a rekey happens (not sure, when exactly) the 
down-Script will be executed, but not the up-script.

2014-11-06 02:44:40 chbet1fw01 charon: 09[IKE] <chbet2_aa|79> closing CHILD_SA 
chbet2_aa{3} with SPIs c9e5d10b_i (0 bytes) c5c00be6_o (216656 bytes) and TS 
10.10.110.1 === 10.10.120.1
2014-11-06 02:44:40 chbet1fw01 updown.sh: Stopping gre tunnel chbet2_aa
2014-11-06 02:45:39 chbet1fw01 charon: 12[IKE] <chbet2_aa|79> CHILD_SA 
chbet2_aa{3} established with SPIs cf6022da_i cf5223e2_o and TS 10.10.110.1 === 
10.10.120.1

But in most cases, the up-host commands will be executed!

I think it has something to do with the code here:

src/libcharon/sa/ikev2/tasks/child_create.c:
METHOD(task_t, build_r, status_t,
        private_child_create_t *this, message_t *message) {
        ...
        if (!this->rekey)
        {       /* invoke the child_up() hook if we are not rekeying */
                charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
        }
        ...
}

 Or here:

src/libcharon/sa/ikev1/tasks/quick_mode.c:
static bool install(private_quick_mode_t *this) {
        ...
        if (old)
        {
                charon->bus->child_rekey(charon->bus, old, this->child_sa);
        }
        else
        {
                charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
        }
        ....
}

We have played with the options "rekey" and "reauth", but it doesn't change 
anything.

Do you have any idea, what the problem might be?

Thank you very much for any help.

Best regards
Elmar

P.S. Sorry for the crosspost in the users mailinglist yesterday, I have 
selected the wrong email address.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Reply via email to