
<div dir="ltr"><p class=""><span style="color:rgb(23,54,93)">Hi,</span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">Strongswan: 4.5.3</span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">Multiple IKE SA and Child SA created for single connection after DPD. </span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">Is this expected behavior in strongswan? Is there any solution for this

issue?</span></p>


<p class=""><br></p><p class="" style><font color="#17365d">Please help me on this. </font></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">Node A ---------------------------------------------------------- Node B</span></p>


<p class=""><span style="color:rgb(23,54,93)">(Initiator)                                                                   (Responder)</span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class="" style="margin-left:54pt"><span style="color:rgb(23,54,93)">i)<span style="font-size:7pt;font-family:'Times New Roman'">                   

</span></span><span style="color:rgb(23,54,93)">IKE SA and Child SA created successfully. </span></p>


<p class="" style="margin-left:54pt"><span style="color:rgb(23,54,93)">ii)<span style="font-size:7pt;font-family:'Times New Roman'">                  

</span></span><span style="color:rgb(23,54,93)">After sometime, I am dowing the interface in Node B</span></p>


<p class="" style="margin-left:54pt"><span style="color:rgb(23,54,93)">iii)<span style="font-size:7pt;font-family:'Times New Roman'">                

</span></span><span style="color:rgb(23,54,93)">DPD detected in Node A and Node B</span></p>


<p class="" style="margin-left:54pt"><span style="color:rgb(23,54,93)">iv)<span style="font-size:7pt;font-family:'Times New Roman'">                

</span></span><span style="color:rgb(23,54,93)">Now, I am enabling the interface in Node B. </span></p>


<p class="" style="margin-left:54pt"><span style="color:rgb(23,54,93)">v)<span style="font-size:7pt;font-family:'Times New Roman'">                 

</span></span><span style="color:rgb(23,54,93)">Now, I can see multiple IKE and Child SA created. </span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)"><snip></span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">Security Associations (2 up, 0 connecting):</span></p>


<p class=""><span style="color:rgb(23,54,93)">       <span style="background-color:yellow">conn2[2]: ESTABLISHED 30</span> seconds ago,

11.1.1.10...11.1.1.1</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2[2]: IKE SPIs:

c758776e4d859a4d_i* c56456dab2c92f5b_r, rekeying in 23 hours</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2[2]: IKE proposal:

AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2{2}:  INSTALLED, TUNNEL, ESP SPIs: caca238b_i

c53e6b15_o</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0

bytes_o, rekeying in 23 hours</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2{2}:   <a href="http://3.3.3.0/24">3.3.3.0/24</a> === <a href="http://2.2.2.0/24">2.2.2.0/24</a></span></p>


<p class=""><span style="color:rgb(23,54,93)">       <span style="background-color:yellow">conn2[3]: ESTABLISHED 40</span> seconds ago,

11.1.1.10...11.1.1.1</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2[3]: IKE SPIs:

3897913d0b314352_i fa4587e51953c26b_r*, rekeying in 23 hours</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2[3]: IKE proposal:

AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2{3}:  INSTALLED, TUNNEL, ESP SPIs: cc44fadf_i

c685d6fe_o</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2{3}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0

bytes_o, rekeying in 23 hours</span></p>


<p class=""><span style="color:rgb(23,54,93)">       conn2{3}:   <a href="http://3.3.3.0/24">3.3.3.0/24</a> === <a href="http://2.2.2.0/24">2.2.2.0/24</a></span></p>


<p class=""><span style="color:rgb(23,54,93)">linux-an0c:~ #</span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">conn conn2</span></p>


<p class=""><span style="color:rgb(23,54,93)">  type=tunnel</span></p>


<p class=""><span style="color:rgb(23,54,93)">  rightsubnet=<a href="http://2.2.2.2/24">2.2.2.2/24</a></span></p>


<p class=""><span style="color:rgb(23,54,93)">  leftsubnet=<a href="http://3.3.3.3/24">3.3.3.3/24</a></span></p>


<p class=""><span style="color:rgb(23,54,93)">  right=11.1.1.1</span></p>


<p class=""><span style="color:rgb(23,54,93)">  left=11.1.1.10</span></p>


<p class=""><span style="color:rgb(23,54,93)">  keyexchange=ikev2</span></p>


<p class=""><span style="color:rgb(23,54,93)">  reauth=no</span></p>


<p class=""><span style="color:rgb(23,54,93)"> 

ike=aes128-sha1-modp1024,3des-sha1-modp1024!</span></p>


<p class=""><span style="color:rgb(23,54,93)">  ikelifetime=83796s</span></p>


<p class=""><span style="color:rgb(23,54,93)">  esp=aes128-sha1,3des-sha1!</span></p>


<p class=""><span style="color:rgb(23,54,93)">  authby=pubkey</span></p>


<p class=""><span style="color:rgb(23,54,93)">  rightid=%any</span></p>


<p class=""><span style="color:rgb(23,54,93)">  keylife=86400s</span></p>


<p class=""><span style="color:rgb(23,54,93)">  dpdaction=restart</span></p>


<p class=""><span style="color:rgb(23,54,93)">  dpddelay=10</span></p>


<p class=""><span style="color:rgb(23,54,93)">  dpdtimeout=120</span></p>


<p class=""><span style="color:rgb(23,54,93)">  rekeyfuzz=50%</span></p>


<p class=""><span style="color:rgb(23,54,93)">  rekeymargin=180s</span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)"></snip></span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">Thanks. </span></p>


<p class=""><span style="color:rgb(23,54,93)"> </span></p>


<p class=""><span style="color:rgb(23,54,93)">Regards,</span></p>


<p class=""><span style="color:rgb(23,54,93)">Jegathesh.M</span></p></div>