Just to add to the above question, does Strongswan get confused if all Moon, Earth and Sun have the same "req_distinguished_name" in their certificates?
Ex: Sun, Moon and Earth have: C=US, ST=CA, L=Palo Alto, O=Open vSwitch, OU=Open vSwitch certifier, CN=Open vSwitch certificate for ovsclient. I do not seem to see the reported issue if I change the "O=" value and keep it unique. Thanks, Guru On 7 October 2012 00:22, Guru Shetty <[email protected]> wrote: > Hello All, > I am using Strongswan 4.6.4 and the issue is reproducible every time. > > I have a 3 node setup - Moon, Sun and Earth in a host-host setting. > All 3 of them are in the same network. > > Moon has 2 connections. One is to Sun. The other is to Earth. (Earth > and Sun are not connected to each other through IPSEC.) > > Moon--------------Earth > | > |----------------------Sun > > The initial state is that all connections are up and running. Now I do > the following: > > 1) From Sun, do a "ipsec down ${connection_name}" > - As expected Moon and Sun loose the SADs that establish their > relationship. "ipsec statusall" does not show the connection between > them. > - As expected, Moon and Earth have the connection between them up and > running. > > 2) From Sun, do a "ipsec up ${connection_name}" > - As expected, Moon and Sun re-establish their connections. > - BUT, the SADs in Moon that establishes the relationship to Earth > disappears. Sometimes, Just one way SAD is seen in "Larval" state. > "ipsec statusall" does not show any established IKE/ESP to Earth. > - On the Earth's side, if I do a "ipsec statusall" everything is > established. The SAD entries are all present. Earth just does not know > that the other side is down. > > 3) The way out is to do a "ipsec reload" in moon. But in a live > environment, this is not a workable solution. > > My ipsec.conf for Moon (Please note that my installpolicy=no. ): > > config setup > nat_traversal=no > charonstart=yes > plutostart=no > #uniqueids=no > > conn %default > keyingtries=%forever > #dpdaction=restart > #closeaction=restart > type=transport > installpolicy=no > keyexchange=ikev2 > auto=start > ike=aes-sha1-modp1024,aes-md5-modp1024 > esp=aes-sha1-modp1024 > > conn remote-192.168.0.2 #This is connection to Sun > reqid=1 > left=192.168.0.1 > leftcert=/etc/openvswitch/ovsclient-cert.pem > right=192.168.0.2 > rightcert=/etc/ipsec.d/certs/ovs-192.168.0.2.pem > > conn remote-192.168.0.3 #This is connection to Earth. > reqid=2 > left=192.168.0.1 > leftcert=/etc/openvswitch/ovsclient-cert.pem > right=192.168.0.3 > rightcert=/etc/ipsec.d/certs/ovs-192.168.0.3.pem > > Both Sun and Earth have the same ipsec.conf parameters (They have only > one connection instead of 2. They both point to Moon). > > Do any of you see anything stupid here? > > Thanks, > Guru _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
