Hello, Does anyone recognise this as a known issue. If no solution, shall I enter this into the bugtracker?
Re-activation of child SA connections fail after physical Disconnect in IKE1 mode. I have one IKE SA and seven child SAs routed towards one remote peer (in responder mode). The local node is set to "auto=start" and "keyingtries=%forever". 1) I physically disconnect the ethernet cable, and get an "asynchronous network error". All child SA connections go to the inactive (down) state. 2) Reconnect the cable and ONLY child SA 0 and 7 recover. SA 2 to 6 stay in inactive state 3) TRACE OCT# ipsec status 000 "conn1": 192.168.205.0/24===192.168.205.201:17/500...192.168.205.102:17/500===192 .168.205.0/24; erouted; eroute owner: #195 000 "conn1": newest ISAKMP SA: #1; newest IPsec SA: #195; 000 "conn2": 192.168.206.0/24===192.168.205.201:17/500...192.168.205.102:17/500===192 .168.206.0/24; prospective erouted; eroute owner: #0 000 "conn2": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "conn3": 192.168.207.0/24===192.168.205.201:17/500...192.168.205.102:17/500===192 .168.207.0/24; prospective erouted; eroute owner: #0 000 "conn3": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "conn4": 192.168.208.0/24===192.168.205.201:17/501...192.168.205.102:17/501===192 .168.208.0/24; prospective erouted; eroute owner: #0 000 "conn4": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "conn5": 192.168.209.0/24===192.168.205.201:17/502...192.168.205.102:17/502===192 .168.209.0/24; prospective erouted; eroute owner: #0 000 "conn5": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "conn6": 192.168.210.0/24===192.168.205.201:17/503...192.168.205.102:17/503===192 .168.210.0/24; prospective erouted; eroute owner: #0 000 "conn6": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "conn7": 192.168.211.0/24===192.168.205.201:17/504...192.168.205.102:17/504===192 .168.211.0/24; erouted; eroute owner: #196 000 "conn7": newest ISAKMP SA: #194; newest IPsec SA: #196; 000 000 #195: "conn1" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 701s; newest IPSEC; eroute owner 000 #195: "conn1" esp.d9116...@192.168.205.102 (0 bytes) esp.52d5c...@192.168.205.201 (0 bytes); tunnel 000 #1: "conn1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 75486s; newest ISAKMP 000 #196: "conn7" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 165s; newest IPSEC; eroute owner 000 #196: "conn7" esp.f7fb9...@192.168.205.102 (0 bytes) esp.d98c5...@192.168.205.201 (0 bytes); tunnel 4) I need to issue the ipesec restart command to re-activate the other connections best regards, Steve _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users