[strongSwan] Child SAs fail to re-activate in IKE1 mode

Wed, 16 Sep 2009 05:13:16 -0700 

Hello,

Does anyone recognise this as a known issue. If no solution, shall I
enter this into the bugtracker?

Re-activation of child SA connections fail after physical Disconnect in
IKE1 mode.

I have one IKE SA and seven child SAs routed towards one remote peer (in
responder mode). 
The local node is set to "auto=start" and "keyingtries=%forever".

1) I physically disconnect the ethernet cable, and get an "asynchronous
network error".
All child SA connections go to the inactive (down) state.

2) Reconnect the cable and ONLY child SA 0 and 7 recover. SA 2 to 6 stay
in inactive state

3) TRACE

OCT# ipsec status
000 "conn1":
192.168.205.0/24===192.168.205.201:17/500...192.168.205.102:17/500===192
.168.205.0/24; erouted; eroute owner: #195
000 "conn1":   newest ISAKMP SA: #1; newest IPsec SA: #195; 
000 "conn2":
192.168.206.0/24===192.168.205.201:17/500...192.168.205.102:17/500===192
.168.206.0/24; prospective erouted; eroute owner: #0
000 "conn2":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "conn3":
192.168.207.0/24===192.168.205.201:17/500...192.168.205.102:17/500===192
.168.207.0/24; prospective erouted; eroute owner: #0
000 "conn3":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "conn4":
192.168.208.0/24===192.168.205.201:17/501...192.168.205.102:17/501===192
.168.208.0/24; prospective erouted; eroute owner: #0
000 "conn4":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "conn5":
192.168.209.0/24===192.168.205.201:17/502...192.168.205.102:17/502===192
.168.209.0/24; prospective erouted; eroute owner: #0
000 "conn5":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "conn6":
192.168.210.0/24===192.168.205.201:17/503...192.168.205.102:17/503===192
.168.210.0/24; prospective erouted; eroute owner: #0
000 "conn6":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "conn7":
192.168.211.0/24===192.168.205.201:17/504...192.168.205.102:17/504===192
.168.211.0/24; erouted; eroute owner: #196
000 "conn7":   newest ISAKMP SA: #194; newest IPsec SA: #196; 
000 
000 #195: "conn1" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 701s; newest IPSEC; eroute owner
000 #195: "conn1" esp.d9116...@192.168.205.102 (0 bytes)
esp.52d5c...@192.168.205.201 (0 bytes); tunnel
000 #1: "conn1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 75486s; newest ISAKMP
000 #196: "conn7" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 165s; newest IPSEC; eroute owner
000 #196: "conn7" esp.f7fb9...@192.168.205.102 (0 bytes)
esp.d98c5...@192.168.205.201 (0 bytes); tunnel


4) I need to issue the ipesec restart command to re-activate the other
connections


best regards,

Steve

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to