Re: [Swan] Routes dropping

Fri, 23 Jun 2017 09:53:43 -0700 

Hi Paul,
I've had another look at the logs I sent directly to you yesterday, and it looks like the change of the remote IP successfully renegotiated the conn initiated by the other end (Draytek). It is just our end which keeps initiating the conn with the old IP address. You can see the correct conn rekeying every 50min or so, but libreswan also initiates to the old IP address every 1min 4s. It does not happen all the time as the remote IP address changed again last night without any issues. 

I've restarted ipsec with plutodebug=all.

Regards,

Nick

On 22/06/2017 21:24, Nick Howitt wrote:



On 22/06/2017 21:07, Paul Wouters wrote:


On Thu, 22 Jun 2017, Nick Howitt wrote:


Originally the "roadwarrior" set up was that one end would never 
initiate or rekey. This was done with auto=add and rekey=no, and 
possibly also setting DPD to clear (and
implicitly wait for the other end to re-initiate). Somehow a way 
must be found again to stop the listening end initiating even if it 
means adding a further parameter. I
think that the changes have introduced a significant interop problem 
and makes my conn unreliable. I hardly use it but it has been 
rekeying for days and I only noticed
it because of the size of the log file. In my case you can even 
argue it is rekeying to the wrong IP as right is defined as %any so 
should not rekey to a specific IP
address. I am pretty certain changing the behaviour is wrong as it 
can potentially break working setups (like mine). To change the 
behaviour, really another parameter

should be introduced which defaults to allow the original behaviour.


A conn with auto=add and rekey=no, not manually changed used the ipsec
command, should never initiate. If you can gather more detailed logs
of that event, that would be useful. Is this a 3.21rcX version?

No, it is a vanilla libreswan-3.20-1.el7.x86_64.rpm from your repo. 
Ipsec was restarted last week with a "service ipsec restart" (I know I 
should use systemctl but it is more typing) as well for this issue and 
I don't use manual ipsec commands. I can gather more info if you tell 
me what you want. I have the standard logs, but I guess you want more.


Nick


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to