[strongSwan] Duplicate IKE_SA?

Michael Schwartzkopff ms at sys4.de
Sun May 31 09:44:44 CEST 2020 

Hi,


we have a central gateway and several remote gateways. The setup should
be very simple, all fixed IP Addresses, PSK authentication.

When I look to the status of the connections, I see that EVERY IKE_SA
exists duplicate. The expiry times are far from being close to the timeout.


Sample output of statusall:

Connections:
   VPN_a:  192.0.2.128...192.0.2.1  IKEv2, dpddelay=10s
   VPN_a:   local:  [192.0.2.1] uses pre-shared key authentication
   VPN_a:   remote: [192.0.2.128] uses pre-shared key authentication
   VPN_a:   child:  dynamic === 192.0.2.128/32 TUNNEL, dpdaction=hold

Security Associations (4 up, 0 connecting):
   VPN_a[502011]: ESTABLISHED 47 minutes ago,
192.0.2.128[192.0.2.128]...192.0.2.1[192.0.2.1]
   VPN_a[502011]: IKEv2 SPIs: 93fea54e631018b3_i e19e477bde676b42_r*,
rekeying disabled
   VPN_a[502011]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   VPN_a{502324}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2a96e2c_i
c36e31d1_o
   VPN_a{502324}:  AES_CBC_256/HMAC_SHA2_256_128, 3182 bytes_i (74 pkts,
15s ago), 7655 bytes_o (110 pkts, 0s ago), rekeying disabled
   VPN_a{502324}:   192.0.2.128/32 === 192.0.2.1/32
   VPN_a[502009]: ESTABLISHED 66 minutes ago,
192.0.2.128[192.0.2.128]...192.0.2.1[192.0.2.1]
   VPN_a[502009]: IKEv2 SPIs: 40ab1a098c160549_i ded33f2f40286969_r*,
rekeying disabled
   VPN_a[502009]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   VPN_a{502323}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2b8ec27_i
cbabcc83_o
   VPN_a{502323}:  AES_CBC_256/HMAC_SHA2_256_128, 2226 bytes_i (51 pkts,
15s ago), 4681 bytes_o (72 pkts, 0s ago), rekeying disabled
   VPN_a{502323}:   192.0.2.128/32 === 192.0.2.1/32


Any ideas, why the gateways set up two IKE SAs?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200531/a7d05bd3/attachment.sig>

More information about the Users mailing list