Hi Andreas/Martin, Request you to provide some inputs on the problem below.
BR Sajal On Thu, Jul 15, 2010 at 4:11 PM, Sajal Malhotra <[email protected]>wrote: > Hi All, > > I am facing an issue with the ikev2 stack. > Please refer to the ipsec.conf file below: > > Here we have 2 connections SA1 and SA2 which are basically 2 IpSec SAs > using same Tunnel (IKE SA). > Problem is that when i change the configuration of connection SA1 and fire > "ipsec update" then both SA1 and SA2 configuration are deleted and > thereafter if i try to bring up the SA2, i see an error saying " no config > named 'SA2'" > I am performing following steps: > 1. bring up SA1 "ipsec up SA1" > 2. bring up SA2 "ipsec up SA2" > 3. close SA1 > 4. close SA2 > 5. Update the configuration of only SA1 (changed leftprotoport and > rightprotoport to 49154). > 6. now i fired "ipsec update" command. > 7. now try to bring up connection SA2. "ipsec up SA2" > 8. In logs attached observe that an error is displayed saying: "charon: > 09[CFG] no config named 'SA2'". Please observe that even though i have NOT > updated SA2, connection in steps above. It seems that SA2 configuration has > got deleted in step 6 above and hence it displays the error. > > Can you please confirm if the behavior is correct and if am doing any > mistake in my configuration > > ipsec.conf > _____________________ > > config setup > cachecrls=no > charonstart=yes > plutostart=no > strictcrlpolicy=no > uniqueids=no > > ca section1 > cacert=/tmp/RootCert070f33_7349bbdb.pem > auto=add > > conn SA1 > ikelifetime=24h > keyexchange=ikev2 > keyingtries=%forever > keylife=90m > reauth=no > rekey=yes > mobike=no > dpddelay=0 > rekeymargin=4m > ike=aes128-sha1-modp1024,3des-sha1-modp1024! > esp=aes128-sha1-modp1024,3des-sha1-modp1024! > authby=rsasig > left=20.20.20.20 > leftsubnet=10.10.10.10/32 > right=20.20.20.21 > rightsubnet=10.10.10.12/32 > leftprotoport=udp/49156 > rightprotoport=udp/49156 > leftcert=/tmp/BTScert.pem > rightid=%any > auto=add > > conn SA2 > ikelifetime=24h > keyexchange=ikev2 > keyingtries=%forever > keylife=90m > reauth=no > rekey=yes > mobike=no > dpddelay=0 > rekeymargin=4m > ike=aes128-sha1-modp1024,3des-sha1-modp1024! > esp=aes128-sha1-modp1024,3des-sha1-modp1024! > authby=rsasig > left=20.20.20.20 > leftsubnet=10.10.10.10/32 > right=20.20.20.21 > rightsubnet=10.10.10.12/32 > leftprotoport=udp/65535 > rightprotoport=udp/65535 > leftcert=/tmp/BTScert.pem > rightid=%any > auto=add > > Thanks and Regards > Sajal >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
