Re: [strongSwan] updown - server which disconnects one roadworrior when another connects
Hi, Sorry for the mistake. Kind regards Noel Am 28.09.20 um 11:52 schrieb Tobias Brunner: > Hi, > >> up-client is called for each combination of remote ts and local ts >> components, as is down-client, when a CHILD_sa is established/destroyed. >> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs >> are negotiated/destroyed. > > The updown script is *not* called for IKE or CHILD_SA rekeyings. > However, if reauthentication is used with IKEv2, the script will be > called as new CHILD_SA are created. A down-event will be called either > before or after the reauthentication and the corresponding up-event > depending on whether make-before-break reauthentication is used by the > client, see [1]. > > By the way, the VICI interface does expose the ike/child-rekey events. > But reauthentication is not handled differently. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] updown - server which disconnects one roadworrior when another connects
Hi, > Is that behavior controllable somehow, configured somewhere > - would you know? > Or it's the user/admin which must take care of this > 'issue/phenomena' via the 'updown' script and the script alone? Not controllable, you need to deal with it in the script. Kind regards Noel Am 28.09.20 um 11:35 schrieb lejeczek: > > > On 28/09/2020 10:05, Noel Kuntze wrote: >> Hi, >> >> up-client is called for each combination of remote ts and local ts >> components, as is down-client, when a CHILD_sa is established/destroyed. >> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs >> are negotiated/destroyed. >> >> Kind regards >> >> Noel >> >> Am 28.09.20 um 10:58 schrieb lejeczek: >>> Hi guys. >>> >>> I have a strongswan with 'updown' which controls tunnels, >>> routes, etc. I took the script from doc examples and built >>> upon it. >>> What is perplexing totally to me is, that the scripts shows >>> that when one roadwarrior is connected and another one is >>> connecting then the server invokes 'down-client' which then >>> removes - as the updown dictates - tunnel of already >>> connected roadwarrior. >>> Here is a snippet of the log from 'updown' script, a moment >>> when new roadwarrior connects: >>> ... >>> RUN >>> vti113 - down-client >>> Mon Sep 28 09:47:20 BST 2020 >>> ip tunnel del vti113 >>> ip route del 10.3.1.12/32 dev vti113 >>> >>> RUN >>> vti114 - up-client >>> Mon Sep 28 09:47:21 BST 2020 >>> ip tunnel add vti114 local X.X.X.X remote Z.Z.Z.Z mode vti >>> key 11 >>> ip link set vti114 mtu 1400 up >>> ... >>> >>> 'updown' script has nothing to do with that, right? >>> Why would server do that 'down-client'? >>> >>> many thanks, L. >>> > Thanks man for explaining that. > Is that behavior controllable somehow, configured somewhere > - would you know? > Or it's the user/admin which must take care of this > 'issue/phenomena' via the 'updown' script and the script alone? > > many thanks, L. > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] updown - server which disconnects one roadworrior when another connects
Hi, up-client is called for each combination of remote ts and local ts components, as is down-client, when a CHILD_sa is established/destroyed. So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are negotiated/destroyed. Kind regards Noel Am 28.09.20 um 10:58 schrieb lejeczek: > Hi guys. > > I have a strongswan with 'updown' which controls tunnels, > routes, etc. I took the script from doc examples and built > upon it. > What is perplexing totally to me is, that the scripts shows > that when one roadwarrior is connected and another one is > connecting then the server invokes 'down-client' which then > removes - as the updown dictates - tunnel of already > connected roadwarrior. > Here is a snippet of the log from 'updown' script, a moment > when new roadwarrior connects: > ... > RUN > vti113 - down-client > Mon Sep 28 09:47:20 BST 2020 > ip tunnel del vti113 > ip route del 10.3.1.12/32 dev vti113 > > RUN > vti114 - up-client > Mon Sep 28 09:47:21 BST 2020 > ip tunnel add vti114 local X.X.X.X remote Z.Z.Z.Z mode vti > key 11 > ip link set vti114 mtu 1400 up > ... > > 'updown' script has nothing to do with that, right? > Why would server do that 'down-client'? > > many thanks, L. > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] updown - server which disconnects one roadworrior when another connects
On 28/09/2020 10:52, Tobias Brunner wrote: > Hi, > >> up-client is called for each combination of remote ts and local ts >> components, as is down-client, when a CHILD_sa is established/destroyed. >> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs >> are negotiated/destroyed. > The updown script is *not* called for IKE or CHILD_SA rekeyings. > However, if reauthentication is used with IKEv2, the script will be > called as new CHILD_SA are created. A down-event will be called either > before or after the reauthentication and the corresponding up-event > depending on whether make-before-break reauthentication is used by the > client, see [1]. > > By the way, the VICI interface does expose the ike/child-rekey events. > But reauthentication is not handled differently. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey Thanks. Okey, if I may repeat my question - Is that behavior controllable somehow, configured somewhere or it's all on the script? In case config does the trick - here is what I have on server's end: connections { jatymy { version = 2 dpd_delay = 300s fragmentation = "yes" pools = "dhcp" local { certs = "jatymy-vpnserver.cert.der" id = "%any" } remote { } children { jatymy { updown = "/usr/libexec/strongswan/vti-iface server" mark_in = 11 mark_out = 11 local_ts = "10.3.1.0/24" start_action = "start" mode = pass } } } } many thanks, L. pEpkey.asc Description: application/pgp-keys
Re: [strongSwan] updown - server which disconnects one roadworrior when another connects
Hi, > up-client is called for each combination of remote ts and local ts > components, as is down-client, when a CHILD_sa is established/destroyed. > So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are > negotiated/destroyed. The updown script is *not* called for IKE or CHILD_SA rekeyings. However, if reauthentication is used with IKEv2, the script will be called as new CHILD_SA are created. A down-event will be called either before or after the reauthentication and the corresponding up-event depending on whether make-before-break reauthentication is used by the client, see [1]. By the way, the VICI interface does expose the ike/child-rekey events. But reauthentication is not handled differently. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
Re: [strongSwan] updown - server which disconnects one roadworrior when another connects
On 28/09/2020 10:05, Noel Kuntze wrote: > Hi, > > up-client is called for each combination of remote ts and local ts > components, as is down-client, when a CHILD_sa is established/destroyed. > So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are > negotiated/destroyed. > > Kind regards > > Noel > > Am 28.09.20 um 10:58 schrieb lejeczek: >> Hi guys. >> >> I have a strongswan with 'updown' which controls tunnels, >> routes, etc. I took the script from doc examples and built >> upon it. >> What is perplexing totally to me is, that the scripts shows >> that when one roadwarrior is connected and another one is >> connecting then the server invokes 'down-client' which then >> removes - as the updown dictates - tunnel of already >> connected roadwarrior. >> Here is a snippet of the log from 'updown' script, a moment >> when new roadwarrior connects: >> ... >> RUN >> vti113 - down-client >> Mon Sep 28 09:47:20 BST 2020 >> ip tunnel del vti113 >> ip route del 10.3.1.12/32 dev vti113 >> >> RUN >> vti114 - up-client >> Mon Sep 28 09:47:21 BST 2020 >> ip tunnel add vti114 local X.X.X.X remote Z.Z.Z.Z mode vti >> key 11 >> ip link set vti114 mtu 1400 up >> ... >> >> 'updown' script has nothing to do with that, right? >> Why would server do that 'down-client'? >> >> many thanks, L. >> Thanks man for explaining that. Is that behavior controllable somehow, configured somewhere - would you know? Or it's the user/admin which must take care of this 'issue/phenomena' via the 'updown' script and the script alone? many thanks, L. pEpkey.asc Description: application/pgp-keys