Bug #976
reqid setting is ignored since strongSwan 5.3.0
Description
I have several net-to-net and host-to-net tunnel-esp-connections in use with fixed reqids and fixed iptables-rules related to the connections.
After updating strongSwan from version 5.2.2 to 5.3.0, I reognized that I can't reach hosts on the other sites, while the SA are established. While analyzing the problem, I see that the reqid settings in ipsec.conf are ignored and the SA uses reqids incremented form one beginning and make my iptables-rules useless.
Is this related to the new global CHILD_SA reqid allocation mechanism? Is there any workaround?
With kind Regards
Ralf
Here is a cutout of my config from one site:
config setup
strictcrlpolicy=yes
cachecrls=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev2
compress=no
dpdaction=clear
ike=aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha512-ecp512bp!
esp=aes256-sha1,aes256-sha256-modp1024,aes256-sha512-ecp512bp!
left=PUBLIC_IP
leftcert=SITE_A.pem
leftid="SITE_A"
conn siteB
leftsubnet=PUBLIC_IP/32,192.168.3.0/24,192.168.10.0/24
right=%any
rightid="SITE_B"
rightsubnet=192.168.6.0/24,192.168.8.220/32
reqid=42
auto=add
History
#1 Updated by Martin Willi over 10 years ago
- Tracker changed from Issue to Bug
- Status changed from New to Feedback
- Assignee set to Martin Willi
Hi Ralf,
Thanks for your bug report. In fact it seems to be true that fixed reqids are broken in 5.3.0 due to the reqid allocation refactorings.
You may try this patch to fix the issue.
Regards
Martin
#2 Updated by Ralf Rüther over 10 years ago
Hi Martin,
thanks a lot for the quick response. Your patch worked for me. Ticket may be closed.
Best regards
Ralf
#3 Updated by Tobias Brunner over 10 years ago
- Category set to libcharon
- Status changed from Feedback to Closed
- Target version set to 5.3.2
- Resolution set to Fixed