Project

General

Profile

Issue #2395

IKEv1 does not try to re-install IPsec SA when is 2nd phase deleted on remote device

Added by Jiri Zendulka almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.5.3
Resolution:
No change required

Description

Strongswan is used as initiator. Responder is an Fortigate VPN device.

The ipsec IKEv1 connection is succesfully installed. Then IPsec SA is manually deleted on responder side. IKE is still established on both sides.

In this situation strongswan does not try re-install SA again automatically. It is need to manualy restart the tunnel (IKE) to install tunnel again.
IKEv2 does not have this issue (tunnel is re-installed automatically).

Compatibilty notice: Openswan automatically re-install IPsec SA in this situation.

History

#1 Updated by Tobias Brunner almost 5 years ago

  • Status changed from New to Feedback

The ipsec IKEv1 connection is succesfully installed. Then IPsec SA is manually deleted on responder side. IKE is still established on both sides.

Deleted how? Is a DELETE sent?

In this situation strongswan does not try re-install SA again automatically. It is need to manualy restart the tunnel (IKE) to install tunnel again.
IKEv2 does not have this issue (tunnel is re-installed automatically).

Why should it be installed again? What's logged? Do you use auto=route? closeaction?

#2 Updated by Jiri Zendulka almost 5 years ago

Tobias Brunner wrote:

The ipsec IKEv1 connection is succesfully installed. Then IPsec SA is manually deleted on responder side. IKE is still established on both sides.

Deleted how? Is a DELETE sent?

Yes. It is.

2017-07-14 08:54:26 charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI 2b28a94e 
2017-07-14 08:54:26 charon: 06[IKE] closing CHILD_SA ipsec1{2} with SPIs c0fa0980_i (1980 bytes) 2b28a94e_o (1980 bytes) and TS 10.114.100.240/29 === 10.114.94.0/24 

In this situation strongswan does not try re-install SA again automatically. It is need to manualy restart the tunnel (IKE) to install tunnel again.
IKEv2 does not have this issue (tunnel is re-installed automatically).

Why should it be installed again? What's logged? Do you use auto=route? closeaction?

I use:
auto=start
closeaction is not defined in config file. So I guess that defualt value "none" is used.

Shall I set closeaction=restart?

#3 Updated by Tobias Brunner almost 5 years ago

Shall I set closeaction=restart?

You could try, but I'd use auto=route.

#4 Updated by Jiri Zendulka almost 5 years ago

Thanks, it works. You can close the issue.

#5 Updated by Tobias Brunner almost 5 years ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF