Hello, I can confirm that my previously reported bug was fixed (route disappears on IP address change).
However, I found another problem, possibly related, which can be reproduced as follows with Strongswan 4.6.0: - setup the test scenario as in ikev2/net2net-cert (ignoring winnetou) - replace the ethernet link between moon and sun by a serial line, run PPP on it with the IP addresses that were previously on ethernet - start the IPsec tunnel -> route in table 220 is OK - trigger PPP renegotiation -> route is gone Charon log: see attachment. Typescript (some output removed): root@moon:~# pppd 192.168.0.1:192.168.0.2 passive noauth nodetach persist /dev/ttyS1 root@sun:~# pppd noauth nodetach persist /dev/ttyS1 root@moon:~# ipsec up net-net root@moon:~# ip route ls table 220 10.2.0.0/16 via 192.168.0.2 dev ppp0 proto static src 10.1.0.1 root@sun:~# ip route ls table 220 10.1.0.0/16 via 192.168.0.1 dev ppp0 proto static src 10.2.0.1 root@moon:~# killall -HUP pppd # wait until IP addresses have been renegotiated root@moon:~# ip route ls table 220 root@sun:~# ip route ls table 220 # the routes in table 220 are now gone Regards, Mirko
Nov 9 17:30:12 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.0) Nov 9 17:30:15 moon charon: 00[KNL] listening on interfaces: Nov 9 17:30:15 moon charon: 00[KNL] eth1 Nov 9 17:30:15 moon charon: 00[KNL] 10.1.0.1 Nov 9 17:30:15 moon charon: 00[KNL] fe80::5054:ff:fe71:c0d7 Nov 9 17:30:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 9 17:30:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 9 17:30:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 9 17:30:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 9 17:30:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 9 17:30:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 9 17:30:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 9 17:30:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem' Nov 9 17:30:15 moon charon: 00[CFG] sql plugin: database URI not set Nov 9 17:30:15 moon charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Nov 9 17:30:15 moon charon: 00[CFG] loaded 0 RADIUS server configurations Nov 9 17:30:15 moon charon: 00[LIB] plugin 'eap-tnc' failed to load: /usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so: undefined symbol: tnc Nov 9 17:30:15 moon charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory Nov 9 17:30:15 moon charon: 00[CFG] mediation client database URI not defined, skipped Nov 9 17:30:15 moon charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL Nov 9 17:30:15 moon charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory Nov 9 17:30:15 moon charon: 00[CFG] HA config misses local/remote address Nov 9 17:30:15 moon charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Nov 9 17:30:15 moon charon: 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 Nov 9 17:30:15 moon charon: 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 Nov 9 17:30:15 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-16 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 Nov 9 17:30:15 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-24 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24 Nov 9 17:30:15 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-32 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24 Nov 9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32 Nov 9 17:30:15 moon charon: 00[DMN] loaded plugins: test-vectors curl ldap pkcs11 aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls dhcp led addrblock Nov 9 17:30:15 moon charon: 00[JOB] spawning 16 worker threads Nov 9 17:30:15 moon charon: 09[CFG] received stroke: add connection 'net-net' Nov 9 17:30:15 moon charon: 09[KNL] getting interface name for 192.168.0.2 Nov 9 17:30:15 moon charon: 09[KNL] 192.168.0.2 is not a local address Nov 9 17:30:15 moon charon: 09[KNL] getting interface name for 192.168.0.1 Nov 9 17:30:15 moon charon: 09[KNL] 192.168.0.1 is not a local address Nov 9 17:30:15 moon charon: 09[CFG] left nor right host is our side, assuming left=local Nov 9 17:30:15 moon charon: 09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' Nov 9 17:30:15 moon charon: 09[CFG] added configuration 'net-net' Nov 9 17:30:24 moon puppet-agent[1585]: Reopening log files Nov 9 17:30:25 moon puppet-agent[1585]: Starting Puppet client version 2.6.2 Nov 9 17:30:25 moon puppet-agent[1585]: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known Nov 9 17:30:26 moon puppet-agent[1585]: Using cached catalog Nov 9 17:30:26 moon puppet-agent[1585]: Could not retrieve catalog; skipping run Nov 9 17:31:28 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0 Nov 9 17:31:28 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0 Nov 9 17:31:28 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0 Nov 9 17:31:28 moon charon: 03[KNL] interface ppp0 activated Nov 9 17:31:28 moon charon: 10[KNL] creating roam job due to address/link change Nov 9 17:32:03 moon charon: 12[CFG] received stroke: initiate 'net-net' Nov 9 17:32:03 moon charon: 14[IKE] initiating IKE_SA net-net[1] to 192.168.0.2 Nov 9 17:32:03 moon charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 9 17:32:03 moon charon: 14[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] Nov 9 17:32:03 moon charon: 15[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] Nov 9 17:32:03 moon charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Nov 9 17:32:03 moon charon: 15[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 9 17:32:03 moon charon: 15[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 9 17:32:03 moon charon: 15[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful Nov 9 17:32:03 moon charon: 15[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 9 17:32:03 moon charon: 15[IKE] establishing CHILD_SA net-net Nov 9 17:32:03 moon charon: 15[KNL] getting SPI for reqid {1} Nov 9 17:32:03 moon charon: 15[KNL] got SPI c8abf7d9 for reqid {1} Nov 9 17:32:03 moon charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] Nov 9 17:32:03 moon charon: 15[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] Nov 9 17:32:04 moon charon: 16[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] Nov 9 17:32:04 moon charon: 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ] Nov 9 17:32:04 moon charon: 16[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" Nov 9 17:32:04 moon charon: 16[CFG] using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" Nov 9 17:32:04 moon charon: 16[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 9 17:32:04 moon charon: 16[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" Nov 9 17:32:04 moon charon: 16[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... Nov 9 17:32:04 moon charon: 16[LIB] libcurl http request failed: couldn't connect to host Nov 9 17:32:04 moon charon: 16[CFG] crl fetching failed Nov 9 17:32:04 moon charon: 16[CFG] certificate status is not available Nov 9 17:32:04 moon charon: 16[CFG] reached self-signed root ca with a path length of 0 Nov 9 17:32:04 moon charon: 16[IKE] authentication of 'sun.strongswan.org' with RSA signature successful Nov 9 17:32:04 moon charon: 16[IKE] IKE_SA net-net[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org] Nov 9 17:32:04 moon charon: 16[IKE] scheduling reauthentication in 3293s Nov 9 17:32:04 moon charon: 16[IKE] maximum IKE_SA lifetime 3473s Nov 9 17:32:04 moon charon: 16[KNL] adding SAD entry with SPI c8abf7d9 and reqid {1} Nov 9 17:32:04 moon charon: 16[KNL] using encryption algorithm AES_CBC with key size 128 Nov 9 17:32:04 moon charon: 16[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Nov 9 17:32:04 moon charon: 16[KNL] adding SAD entry with SPI cee815ff and reqid {1} Nov 9 17:32:04 moon charon: 16[KNL] using encryption algorithm AES_CBC with key size 128 Nov 9 17:32:04 moon charon: 16[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Nov 9 17:32:04 moon charon: 16[KNL] adding policy 10.1.0.0/16 === 10.2.0.0/16 out Nov 9 17:32:04 moon charon: 16[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 in Nov 9 17:32:04 moon charon: 16[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 fwd Nov 9 17:32:04 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16 Nov 9 17:32:04 moon charon: 16[KNL] using host 10.1.0.1 Nov 9 17:32:04 moon charon: 16[KNL] getting address to reach 192.168.0.2 Nov 9 17:32:04 moon charon: 16[KNL] getting interface name for 192.168.0.1 Nov 9 17:32:04 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0 Nov 9 17:32:04 moon charon: 16[KNL] installing route: 10.2.0.0/16 via 192.168.0.2 src 10.1.0.1 dev ppp0 Nov 9 17:32:04 moon charon: 16[KNL] getting iface index for ppp0 Nov 9 17:32:04 moon charon: 16[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount Nov 9 17:32:04 moon charon: 16[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out Nov 9 17:32:04 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount Nov 9 17:32:04 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in Nov 9 17:32:04 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount Nov 9 17:32:04 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd Nov 9 17:32:04 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16 Nov 9 17:32:04 moon charon: 16[KNL] using host 10.1.0.1 Nov 9 17:32:04 moon charon: 16[KNL] getting address to reach 192.168.0.2 Nov 9 17:32:04 moon charon: 16[KNL] getting interface name for 192.168.0.1 Nov 9 17:32:04 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0 Nov 9 17:32:04 moon charon: 16[KNL] getting iface index for ppp0 Nov 9 17:32:04 moon charon: 16[IKE] CHILD_SA net-net{1} established with SPIs c8abf7d9_i cee815ff_o and TS 10.1.0.0/16 === 10.2.0.0/16 Nov 9 17:32:04 moon charon: 16[KNL] getting interface name for 192.168.0.1 Nov 9 17:32:04 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0 Nov 9 17:32:04 moon charon: 16[IKE] received AUTH_LIFETIME of 3305s, scheduling reauthentication in 3125s Nov 9 17:32:10 moon charon: 11[KNL] querying SAD entry with SPI c8abf7d9 Nov 9 17:32:10 moon charon: 11[KNL] querying SAD entry with SPI cee815ff Nov 9 17:32:49 moon charon: 03[KNL] interface ppp0 deactivated Nov 9 17:32:49 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0 Nov 9 17:32:49 moon charon: 14[KNL] creating roam job due to address/link change Nov 9 17:32:49 moon charon: 14[KNL] getting address to reach 192.168.0.2 Nov 9 17:32:49 moon charon: 14[IKE] old path is not available anymore, try to find another Nov 9 17:32:49 moon charon: 14[KNL] getting address to reach 192.168.0.2 Nov 9 17:32:49 moon charon: 14[IKE] no route found to reach 192.168.0.2, MOBIKE update deferred Nov 9 17:32:55 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0 Nov 9 17:32:55 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0 Nov 9 17:32:55 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0 Nov 9 17:32:55 moon charon: 03[KNL] interface ppp0 activated Nov 9 17:32:55 moon charon: 12[KNL] creating roam job due to address/link change Nov 9 17:32:55 moon charon: 12[KNL] getting address to reach 192.168.0.2
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users