Hi strongSwan team, I encounter unexpected IKE-SA reauthentications whenever something changes in the routing table:
Connections are configured on a multihomed machine, so that left is a permanent address configured on a user loopback interface (Linux dummy interface), precisely to be independant from routing. MOBIKE is disabled. Whenever a change occurs in the routing table, charon verifies for all IKE_SA that the path to the remote peer is still valid. This verification, performed by the ike_sa.roam() method, always concludes that the path is no longer valid, and triggers a reauth. In fact the definition of "valid" is quite restrictive: ike_sa.roam() invokes is_current_path_valid(this), which performs a route lookup to the peer address, and checks that the route "preferred source address" is equal to the IKE_SA local address. Which is not the case because the IKE_SA local address is not configured on the output interface. I understand that when MOBIKE is enabled or when left is %any, we want to check if we can find a better source address to join the peer. But when MOBIKE is disabled and the source address is explicitly specified in the conf, the existence of a valid route to the peer should be enough, whatever the "preferred source address" is suggested by the routing table. Is there a way to avoid this undesirable reauthentication (without ignoring routing event)? Christophe _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
