Hello, I appear to be having a problem with maintaining an IKEv1 session with pluto. I have a strongSwan 4.6.4 client and a 4.5.3 server, both running on CentOS 6 x86_64, and the client is configured to use mode config push mode to get a virtual IP.
The issue I'm having seems to usually manifest itself after ~5-10 mins of being connected, although it can be longer; the SA remains up, I can see traffic reaching the other end in tcpdump, but no traffic will actually go onto the Internet (or even the remote strongsSwan server). I've also noticed that the IP address assigned to my client by the VPN server has been updated (i.e. running "ip a" on the client shows that there are now two virtual IPs assigned to the interface, the originally assigned one and a new one). There's quite a lot of activity from pluto logged to /var/log/secure when this happens, with some relevant lines looking like: Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: parsing ModeCfg set Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: replacing virtual IP source address <ip A> by <ip B> Nov 19 17:21:29 hostname pluto[2578]: installing DNS server <VPN server internal IP> to /etc/resolv.conf Nov 19 17:21:29 hostname pluto[2578]: handling UNITY_BANNER attribute failed Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: sending ModeCfg ack Nov 19 17:21:29 hostname pluto[2578]: | inserting event EVENT_SA_EXPIRE, timeout in 10800 seconds for #3 Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: sent ModeCfg ack, established [...] Nov 19 17:21:29 hostname pluto[2578]: | eroute_connection replace eroute 0.0.0.0/0:0 -> <ip B>/32:0 => [email protected]:0 Nov 19 17:21:29 hostname pluto[2578]: deleting policy 0.0.0.0/0 === <ip B>/32 in failed, not found Nov 19 17:21:29 hostname pluto[2578]: deleting policy 0.0.0.0/0 === <ip B>/32 fwd failed, not found Nov 19 17:21:29 hostname pluto[2578]: | eroute_connection replace eroute <ip B>/32:0 -> 0.0.0.0/0:0 => [email protected]:0 Nov 19 17:21:29 hostname pluto[2578]: deleting policy <ip B>/32 === 0.0.0.0/0 out failed, not found (I've stripped out the hostname, and replaced some IP addresses.) There is another, quite possibly related issue that I'm also having, where bringing down the tunnel with "ipsec stop" doesn't remove the assigned virtual IP address from the interface used for the VPN. This occurs with both self-built and EPEL RPMs of strongSwan 4.6.4. Does anyone have any idea what may be causing this? From looking back at ML archives, it looks like I'm the only one who's had this problem, but I can reproduce it on different hosts. Regards, -Dave ## BEGIN ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutodebug=control charonstart=no uniqueids=yes nat_traversal=yes # Add connections here. conn gateway keyexchange=ikev1 left=%defaultroute leftcert=<cert name> leftsourceip=%config right=<ip> rightcert=<right certificate> rightid=%any rightsubnet=0.0.0.0/0 pfs=no modeconfig=push auto=start ## END ipsec.conf _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
