Hi Houman, > We have two types of servers. Same users are doing ok on servers with > StrongSwan 5.7.2 on kernel 5.3.0-53-generic. > > But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, > *the issue arises. (Not for all users, but quite a few)
I had a closer look at the log and now saw what the problem is. It has nothing to do with the strongSwan or kernel version. The problem is that the client moves from an IPv4 address to an IPv6 address and you apparently have UDP-encapsulation forced (see the "faking NAT situation to enforce UDP encapsulation"). However, the Linux kernel currently does not support UDP encapsulation for IPv6 (the upcoming 5.8 kernel will be the first one with support for it), so you get that error when the daemon tries to replace the IPv4 SA with an IPv6 SA that has UDP encapsulation enabled. Try without forcing UDP encapsulation (or disable IPv6 in the socket-default plugin if you don't want clients to use it). Regards, Tobias