Hi All, I am facing an issue with the ikev2 stack. Please refer to the ipsec.conf file below:
Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs using same Tunnel (IKE SA). Problem is that when i change the configuration of connection SA1 and fire "ipsec update" then both SA1 and SA2 configuration are deleted and thereafter if i try to bring up the SA2, i see an error saying " no config named 'SA2'" I am performing following steps: 1. bring up SA1 "ipsec up SA1" 2. bring up SA2 "ipsec up SA2" 3. close SA1 4. close SA2 5. Update the configuration of only SA1 (changed leftprotoport and rightprotoport to 49154). 6. now i fired "ipsec update" command. 7. now try to bring up connection SA2. "ipsec up SA2" 8. In logs attached observe that an error is displayed saying: "charon: 09[CFG] no config named 'SA2'". Please observe that even though i have NOT updated SA2, connection in steps above. It seems that SA2 configuration has got deleted in step 6 above and hence it displays the error. Can you please confirm if the behavior is correct and if am doing any mistake in my configuration ipsec.conf _____________________ config setup cachecrls=no charonstart=yes plutostart=no strictcrlpolicy=no uniqueids=no ca section1 cacert=/tmp/RootCert070f33_7349bbdb.pem auto=add conn SA1 ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes128-sha1-modp1024,3des-sha1-modp1024! authby=rsasig left=20.20.20.20 leftsubnet=10.10.10.10/32 right=20.20.20.21 rightsubnet=10.10.10.12/32 leftprotoport=udp/49156 rightprotoport=udp/49156 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn SA2 ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes128-sha1-modp1024,3des-sha1-modp1024! authby=rsasig left=20.20.20.20 leftsubnet=10.10.10.10/32 right=20.20.20.21 rightsubnet=10.10.10.12/32 leftprotoport=udp/65535 rightprotoport=udp/65535 leftcert=/tmp/BTScert.pem rightid=%any auto=add Thanks and Regards Sajal
Jul 14 15:57:56 sajal-desktop charon: 01[DMN] starting charon (strongSwan Version 4.2.8) Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' Jul 14 15:57:56 sajal-desktop charon: 01[CFG] loaded private key file '/home/sajal/cer17Jun/Key.pem' Jul 14 15:57:56 sajal-desktop charon: 01[JOB] spawning 16 worker threads Jul 14 15:57:56 sajal-desktop charon: 03[CFG] received stroke: add ca 'CA1' Jul 14 15:57:56 sajal-desktop charon: 03[LIB] loaded certificate file '/home/sajal/cer17Jun/cacert.pem' Jul 14 15:57:56 sajal-desktop charon: 03[CFG] added ca 'CA1' Jul 14 15:57:56 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA1' Jul 14 15:57:56 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local Jul 14 15:57:56 sajal-desktop charon: 08[LIB] loaded certificate file '/home/sajal/cer17Jun/Mycert.pem' Jul 14 15:57:56 sajal-desktop charon: 08[CFG] peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN Jul 14 15:57:56 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA2' Jul 14 15:57:56 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local Jul 14 15:57:56 sajal-desktop charon: 08[LIB] loaded certificate file '/home/sajal/cer17Jun/Mycert.pem' Jul 14 15:57:56 sajal-desktop charon: 08[CFG] peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN Jul 14 15:57:56 sajal-desktop charon: 08[CFG] added child to existing configuration 'SA1' Jul 14 15:58:17 sajal-desktop charon: 13[CFG] received stroke: delete connection 'SA1' Jul 14 15:58:17 sajal-desktop charon: 13[CFG] deleted connection 'SA1' Jul 14 15:58:17 sajal-desktop charon: 08[CFG] received stroke: add connection 'SA1' Jul 14 15:58:17 sajal-desktop charon: 08[CFG] left nor right host is our side, assuming left=local Jul 14 15:58:17 sajal-desktop charon: 08[LIB] loaded certificate file '/home/sajal/cer17Jun/Mycert.pem' Jul 14 15:58:17 sajal-desktop charon: 08[CFG] peerid 20.20.20.21 not confirmed by certificate, defaulting to subject DN Jul 14 15:58:57 sajal-desktop charon: 09[CFG] received stroke: initiate 'SA2' Jul 14 15:58:57 sajal-desktop charon: 09[CFG] no config named 'SA2'
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
