Yes, the identities of the peer must be unique, at least with the default setting "uniqueids=yes". If you want stability and robustness we strongly recommend to generate certificates with a unique subject DN for each of your peers.
Regards Andreas On 10/07/2012 10:25 AM, Guru Shetty wrote: > Just to add to the above question, does Strongswan get confused if all > Moon, Earth and Sun have the same "req_distinguished_name" in their > certificates? > > Ex: Sun, Moon and Earth have: C=US, ST=CA, L=Palo Alto, O=Open > vSwitch, OU=Open vSwitch certifier, CN=Open vSwitch certificate for > ovsclient. > > I do not seem to see the reported issue if I change the "O=" value and > keep it unique. > > Thanks, > Guru > > On 7 October 2012 00:22, Guru Shetty <[email protected]> wrote: >> Hello All, >> I am using Strongswan 4.6.4 and the issue is reproducible every time. >> >> I have a 3 node setup - Moon, Sun and Earth in a host-host setting. >> All 3 of them are in the same network. >> >> Moon has 2 connections. One is to Sun. The other is to Earth. (Earth >> and Sun are not connected to each other through IPSEC.) >> >> Moon--------------Earth >> | >> |----------------------Sun >> >> The initial state is that all connections are up and running. Now I do >> the following: >> >> 1) From Sun, do a "ipsec down ${connection_name}" >> - As expected Moon and Sun loose the SADs that establish their >> relationship. "ipsec statusall" does not show the connection between >> them. >> - As expected, Moon and Earth have the connection between them up and >> running. >> >> 2) From Sun, do a "ipsec up ${connection_name}" >> - As expected, Moon and Sun re-establish their connections. >> - BUT, the SADs in Moon that establishes the relationship to Earth >> disappears. Sometimes, Just one way SAD is seen in "Larval" state. >> "ipsec statusall" does not show any established IKE/ESP to Earth. >> - On the Earth's side, if I do a "ipsec statusall" everything is >> established. The SAD entries are all present. Earth just does not know >> that the other side is down. >> >> 3) The way out is to do a "ipsec reload" in moon. But in a live >> environment, this is not a workable solution. >> >> My ipsec.conf for Moon (Please note that my installpolicy=no. ): >> >> config setup >> nat_traversal=no >> charonstart=yes >> plutostart=no >> #uniqueids=no >> >> conn %default >> keyingtries=%forever >> #dpdaction=restart >> #closeaction=restart >> type=transport >> installpolicy=no >> keyexchange=ikev2 >> auto=start >> ike=aes-sha1-modp1024,aes-md5-modp1024 >> esp=aes-sha1-modp1024 >> >> conn remote-192.168.0.2 #This is connection to Sun >> reqid=1 >> left=192.168.0.1 >> leftcert=/etc/openvswitch/ovsclient-cert.pem >> right=192.168.0.2 >> rightcert=/etc/ipsec.d/certs/ovs-192.168.0.2.pem >> >> conn remote-192.168.0.3 #This is connection to Earth. >> reqid=2 >> left=192.168.0.1 >> leftcert=/etc/openvswitch/ovsclient-cert.pem >> right=192.168.0.3 >> rightcert=/etc/ipsec.d/certs/ovs-192.168.0.3.pem >> >> Both Sun and Earth have the same ipsec.conf parameters (They have only >> one connection instead of 2. They both point to Moon). >> >> Do any of you see anything stupid here? >> >> Thanks, >> Guru > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
