Issue #3409

no reconnect after a local prefix delegation

Added by Harald Dunkel 7 months ago. Updated about 1 month ago.

network / firewall
Affected version:
No feedback


I am running an IPsec connection between my PC at home (strongswan 5.8.4, kernel 5.6.3, Debian) and the gateway in the office (5.8.2, kernel 4.19.98, Debian 10). Problem:

If there is a prefix delegation in my LAN, then the IPsec connection is lost and a new one is not established. AFAIK this is not supposed to happen, due to MOBIKE.

The local charon.log and ipsec.conf are attached. In this case I rebooted my internet gateway to get a new prefix (making the old prefix invalid). Please note the netlink errors. I am not sure if they are supposed to happen.

gateway IP addresses
ipsec.conf (828 Bytes) ipsec.conf local ipsec.conf Harald Dunkel, 12.04.2020 13:15
charon.log (50.1 KB) charon.log Harald Dunkel, 12.04.2020 13:16


#1 Updated by Harald Dunkel 5 months ago

I would be glad to help to fix this problem.

#2 Updated by Tobias Brunner 5 months ago

  • Status changed from New to Feedback

According to the log, there is an only partially successful switch to IPv4 (the initial connectivity check works, but the next MOBIKE update fails already), which you might want to investigate. Then there is another switch to IPv6 (to reestablish the SA after a retransmission timeout) but that fails too (is the IPv6 address there still valid? if not, it shouldn't have been selected as source IP).

Increasing the log level for knl to 2 might show a bit more about what goes on when network/kernel changes occur.

The tunnel here seems to only protect IPv4 traffic. Are there other tunnels that maybe also cover IPv6? If so, make sure you bypass NDP.

#3 Updated by Tobias Brunner about 1 month ago

  • Category set to network / firewall
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF