Hello there. I'm using a quite symmetric configuration where both
gateways with strongSwan 5.1.1 have the auto=start in configuration in
order to force tunnel being up asap.
I used to start (or restart) ipsec at roughly the same time on both
machines and it ends with either:
- a) one IKE SA established and no IPsec SA
- b) two IKE SAs established and one IPsec SA
My major problem is a) as i need to restart ipsec on one gateway a few
times in order to have the second point, i.e. at least one IPsec SA
established.
On the logs when falling in the case a), we can see: [CFG] unable to
install policy 12.0.0.0/8 === 11.0.0.0/8 out (mark 0/0x00000000) for
reqid 2, the same policy for reqid 1 exists. When falling in case b)
there is no such log.
Specifying a reqid in ipsec.conf on both gateways seems to fix the
problem, i.e. the error message does not appear and only one IKE SA and
one IPsec SA are established (and stream is correclty routed through
tunnel).
So my questions are:
- is this configuration setting (reqid=xxx)'s purpose this use case ?
- is this (not specifying a reqid) and falling in a) or b) a bug
(linked to race mentioned in #431 ?) ?
- should i expect 'strange' issues by using this configuration setting
(reqid=) ?
Thanks,
Marc.
Note: i tested latest git version and got the same result (but did not
tried the reqid=xxx). Linux kernel is 3.10.18.
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
