Public bug reported:
On a Ubuntu 17.10 system, if a temporary network outage occurs, such as
a firmware upgrade on an Ethernet switch in the network path or
temporarily disconnecting the interface via the virtualization platform
or failing to configure AWS's recommended lifetime and/or dead peer
detection settings, libreswan will unconfigure the vti interfaces during
the temporary failure and not reconfigure them when the temporary
failure is over, resulting in not recovering from the outage until
systemctl restart ipsec is run manually. (The vti interfaces disappear
from the output of ``ip addr'' during the temporary failure and the vti
interfaces do not reappear in the output of ``ip addr'' until after
``systemctl restart ipsec'' is run.) Additionally, libreswan doesn't
seem to successfully configure the vti interfaces at boot time, but
manually running systemctl restart ipsec shortly after a reboot works.
(Given that I'm relying on systemd-networkd to configure the dummy0
interface with the globally routable IP address being used, there's a
chance that libreswan might be starting before dummy0 gets configured.)
left=, right=, and leftvti= values have been redacted for posting in
this bug report, and I have only included one of the several connections
here, but the rest of the configuration below reflects what I have in
/etc/ipsec.d/aws.conf.
Additionally, the documentation suggested that I could set mark to -1
for all tunnels to automatically get a unique mark for each one, but I
found that some of the tunnels failed to work when I used -1 and started
working when I manually assigned a unique mark value to each.
I am using bird to run BGP across these tunnels.
conn aws-base
fragmentation=yes
dpdaction=restart
dpddelay=10
dpdtimeout=30
ikelifetime=28800
salifetime=3600
auto=start
authby=secret
ike=aes256-sha2-dh24
phase2=esp
phase2alg=aes256-sha2;dh24
type=tunnel
vti-routing=no
left=100.64.36.16
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
conn aws-1
also=aws-base
vti-interface=vti01
leftvti=169.254.255.254/30
right=100.64.25.4
mark=1001/0xffffffff
** Affects: libreswan (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1751379
Title:
libreswan unconfigures vti interfaces in temporary network outage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libreswan/+bug/1751379/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
