New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with IPsec tunnel 23.1_6 and FQDN #6313
Comments
If I understand you correctly you are trying to use a fqdn on new (connections) versus old(tunnels), in which case it would make sense it doesn't work as the old pf** code tries to resolve the address instead of using the fqdn. core/src/etc/inc/plugins.inc.d/ipsec.inc Lines 666 to 669 in 7609985
Quite some of this weirdness is the reason to add a separate module to replace the tunnels in the long run, too many assumptions and side-effects in the code, not really using the standards offered by strongswan. |
The tunnel between 22.7.11 and 22.7.11 works this way and the tunnel beween 23.1_6 ( legacy mode) and 22.7.11 works also fine. |
if both use the same configuration (23.1.x), I would expect that it does work, you just can't mix addresses and fqdn's |
I'll try to upgrade my HA sense the next few days and the try it out. |
no, you can only revert minor versions. |
Just to note swanctl.conf is also used for old tunnels on 23.1, but its data model wasn’t changed and perhaps never will be. |
With the patch I could now also switch the second tunnel. |
Maybe it would fix the problem if I could maintain the fields "remote addresses"/"local addresses" and change the entry to "fqdn:host.example.org" , as it works for the automatically migrated tunnels. |
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
I'm currently testing the migration of IPsec tunnels from ipsec.conf to swanctl.conf.
For this I've upgraded one side of the tunnel to 23.1_6. The migrated tunnel can be started from both sides without any problems.
Then I created an analog configuration with "Connections [new]" and deleted the old configuration.
Unfortunately, I find that now the tunnel can only be started from one side (23.1_6). From the other side this leads to the error NO_PROPOSAL_CHOSEN.
The problem seems to be that the site has no IP address at rightid but a FQDN.
If I change "Local addresses" at this site from FQDN to the current IP address, it is possible to initiate the tunnel from both sites again afterwards.
tunnel can only be initiated from side2 with this config
side1
ipsec.conf (22.7.11)
left = 99.99.99.99
right = host.example.org
side2
swanctl.conf (23.1.6)
local_addrs = host.example.org
remote_addrs = 99.99.99.99
tunnel can be initiated from both sides with this config
side1
ipsec.conf (22.7.11)
left = 99.99.99.99
right = host.example.org
side2
swanctl.conf (23.1.6)
local_addrs = 88.88.88.88
remote_addrs = 99.99.99.99
The text was updated successfully, but these errors were encountered: