<div>Thanks to both Martin and Andreas :)</div>
<div> </div>
<div>I changed "auto=start" to "auto=add" on one of the machines, and now I get only one SA. Also, thanks a lot for the explanation on what to expect once the SA is established. I sent some traffic using iperf tool, and saw that it is sent using ipsec. I am still playing around with it actually.</div>
<div> </div>
<div>Regards,</div>
<div>Meera <br><br></div>
<div class="gmail_quote">On Tue, Mar 29, 2011 at 5:54 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello Meera,<br><br>the work of the IKEv2 daemon is done and charon will become active<br>only during the next CHILD_SA rekeying (scheduled in 40 minutes)<br>
and the next IKEv2 reauthentication (scheduled in 2 hours).<br><br>The IKE daemon creates an IPsec policy<br><br> ip -s xfrm policy<br><br>and and IPsec security association<br><br> ip -s xfrm state<br><br>in the Linux kernel which route and encrypt/decrypt all IP packets<br>
using the IPsec ESP protocol.<br><br>Regards<br><br>Andreas<br><br>P.S. You seem to have started both sides with auto=start resulting<br> in two concurrent IPsec SAs. Although this does not cause any<br> harm if you upgrade to strongSwan 4.5.1 one of the redundant<br>
IKE_SA/CHILD_SA pairs will be automatically deleted.<br><br>On 29.03.2011 14:02, Meera Sudhakar wrote<br>
<div class="im">> Hi Andreas<br>><br>> I was able to setup an IKE_SA and its CHILD_SA between my initiator and<br>> responder. Just pasting the result of 'ipsec statusall' here:<br>><br></div>> *root@cip-Latitude-D520* <mailto:<a href="mailto:root@cip-Latitude-D520">root@cip-Latitude-D520</a>>*:~# ipsec statusall<br>
<div class="im">> *Status of IKEv2 charon daemon (strongSwan 4.4.0):<br>> uptime: 3 minutes, since Mar 28 18:54:41 2011<br>> worker threads: 7 idle of 16, job queue load: 0, scheduled events: 5<br>> loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey<br>
> pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr<br>> kernel-netlink socket-default farp stroke updown eap-identity eap-aka<br>> eap-md5 eap-gtc eap-mschapv2 dhcp resolve<br>> Listening IP addresses:<br>
> 10.58.114.215<br>> Connections:<br>> sample-with-ca-cert: 10.58.114.215...10.58.112.139<br>> sample-with-ca-cert: local: [C=CH, O=strongSwan, CN=10.58.114.215]<br>> uses public key authentication<br>
> sample-with-ca-cert: cert: "C=CH, O=strongSwan, CN=10.58.114.215"<br>> sample-with-ca-cert: remote: [C=CH, O=strongSwan, CN=10.58.112.139]<br>> uses any authentication<br></div>> sample-with-ca-cert: child: <a href="http://10.58.114.0/24" target="_blank">10.58.114.0/24</a> <<a href="http://10.58.114.0/24" target="_blank">http://10.58.114.0/24</a>><br>
> === <a href="http://10.58.112.0/24" target="_blank">10.58.112.0/24</a> <<a href="http://10.58.112.0/24" target="_blank">http://10.58.112.0/24</a>><br>
<div class="im">> Security Associations:<br>> sample-with-ca-cert[1]: ESTABLISHED 2 minutes ago, 10.58.114.215[C=CH,<br>> O=strongSwan, CN=10.58.114.215]...10.58.112.139[C=CH, O=strongSwan,<br>> CN=10.58.112.139]<br>
> sample-with-ca-cert[1]: IKE SPIs: fdcf7ac0cdf2c04f_i*<br>> 983a0c5155be9623_r, public key reauthentication in 2 hours<br>> sample-with-ca-cert[1]: IKE proposal:<br>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
> sample-with-ca-cert{2}: INSTALLED, TUNNEL, ESP SPIs: cbf77aa0_i cf97ba8b_o<br>> sample-with-ca-cert{2}: AES_CBC_128/HMAC_SHA1_96, 4916 bytes_i (147s<br>> ago), 2892 bytes_o (161s ago), rekeying in 40 minutes<br>
</div>> sample-with-ca-cert{2}: <a href="http://10.58.114.0/24" target="_blank">10.58.114.0/24</a> <<a href="http://10.58.114.0/24" target="_blank">http://10.58.114.0/24</a>> ===<br>> <a href="http://10.58.112.0/24" target="_blank">10.58.112.0/24</a> <<a href="http://10.58.112.0/24" target="_blank">http://10.58.112.0/24</a>><br>
<div class="im">> sample-with-ca-cert[2]: ESTABLISHED 3 minutes ago, 10.58.114.215[C=CH,<br>> O=strongSwan, CN=10.58.114.215]...10.58.112.139[C=CH, O=strongSwan,<br>> CN=10.58.112.139]<br>> sample-with-ca-cert[2]: IKE SPIs: 396e462689843cdf_i<br>
> 5dbd4f8988e5cd1f_r*, public key reauthentication in 2 hours<br>> sample-with-ca-cert[2]: IKE proposal:<br>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>> sample-with-ca-cert{1}: INSTALLED, TUNNEL, ESP SPIs: cdbdb1cc_i c33cd52e_o<br>
> sample-with-ca-cert{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,<br>> rekeying in 42 minutes<br></div>> sample-with-ca-cert{1}: <a href="http://10.58.114.0/24" target="_blank">10.58.114.0/24</a> <<a href="http://10.58.114.0/24" target="_blank">http://10.58.114.0/24</a>> ===<br>
> <a href="http://10.58.112.0/24" target="_blank">10.58.112.0/24</a> <<a href="http://10.58.112.0/24" target="_blank">http://10.58.112.0/24</a>><br>
<div class="im">><br>><br>> I am using strongswan for the first time, and I am not sure where the<br>> use of strongswan ends. Could you please help me understand this? My<br>> queries are:<br>><br>> 1. Stongswan created the IKE_SA and CHILD_SA, and then nothing more<br>
> happens. Is this correct?<br>> 2. I believe that IPsec traffic will flow through the CHILD_SA. How will<br>> this happen? Can strongswan handle it, or should I use some other tool?<br>><br>> I know these questions might be kind of silly, but please help me get a<br>
> better idea of what I'm doing.<br>><br>> Thanks and regards,<br>> Meera<br><br><br></div>======================================================================<br><font color="#888888">Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></font></blockquote></div><br>