Hi Andreas,<div><br></div><div> One question regarding the tunnel mode:</div><div><br></div><div> I have the following SAs setup using IKEv2. The following is output of ipsec statusall:</div><div> </div><div> <font class="Apple-style-span" color="#3333ff"><i> Performance:</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> uptime: 15 seconds, since Jul 25 05:16:42 2011</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i>Listening IP addresses:</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> 10.1.1.10</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> 10.205.30.62</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i>Connections:</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> arb1: 10.1.1.10[10.1.1.10]...10.1.1.20[10.1.1.20]</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> arb1: pre-shared key authentication</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> arb1: <a href="http://10.205.30.254/32">10.205.30.254/32</a> === <a href="http://30.0.0.1/32">30.0.0.1/32</a></i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> arb2: dynamic === dynamic</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i>Security Associations:</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> arb1[1]: ESTABLISHED 4 seconds ago, 10.1.1.10[10.1.1.10]...10.1.1.20[10.1.1.20]</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> arb1[1]: IKE SPIs: a4a2683d4df70a67_i 7861d952132dcc14_r*, rekeying in 2 hours</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> arb1[1]: IKE proposal: AES_CBC-128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024_BIT</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> arb1{1}: INSTALLED, TUNNEL, ESP SPIs: ca075713_i 7a189428_o</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> arb1{1}: AES_CBC-128/HMAC_MD5_96, rekeying in 58 minutes, last use: 4s_i no_o</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> arb1{1}: <a href="http://10.205.30.254/32">10.205.30.254/32</a> === <a href="http://30.0.0.1/32">30.0.0.1/32</a></i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> arb1{2}: INSTALLED, TUNNEL, ESP SPIs: c24cf23c_i 01cc4444_o</i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i> arb1{2}: AES_CBC-128/HMAC_MD5_96, rekeying in 58 minutes, last use: 4s_i no_o</i></font></div><div><font class="Apple-style-span" color="#3333ff"><i> arb1{2}: <a href="http://10.205.30.254/32">10.205.30.254/32</a> === <a href="http://30.0.0.1/32">30.0.0.1/32</a></i></font></div>
<div><font class="Apple-style-span" color="#3333ff"><i><br></i></font></div><div><font class="Apple-style-span" color="#333333">As you can see from the above output there are couple of Child SAs over one IKE_SA.</font></div>
<div><font class="Apple-style-span" color="#333333"><br></font></div><div><font class="Apple-style-span" color="#333333">The problem I am facing is that when I send a data packet(ping) from 30.0.0.1 to 10.205.30.254 over the tunnel the following behaviour happens:</font></div>
<div><font class="Apple-style-span" color="#333333"><br></font></div><div><font class="Apple-style-span" color="#333333"> Data packet is forwarded when using SA for arb1{2} - In SPI: </font><span class="Apple-style-span" style="color: rgb(51, 51, 255); "><i>c24cf23c_i </i></span></div>
<div><i style="color: rgb(51, 51, 255); "> </i><font class="Apple-style-span" color="#333333">but Data packet doesnt get forwarded using arb1{1} - In SPI: </font><span class="Apple-style-span" style="color: rgb(51, 51, 255); "><i>ca075713_i </i></span></div>
<div><span class="Apple-style-span" style="color: rgb(51, 51, 255); "><i><br></i></span></div><div><font class="Apple-style-span" color="#333333">I have attached my ipsec.conf file if you may need to have a look. Also I have checked the sysctl variables for ip forwarding and enabled the ipv4 forwarding for all interfaces.</font></div>
<div><font class="Apple-style-span" color="#333333"><br></font></div><div><font class="Apple-style-span" color="#333333">Can you help whether the previously established CHILD_SA will not be used at all if a new SA is available..?</font></div>
<div><font class="Apple-style-span" color="#333333"><br></font></div><div><font class="Apple-style-span" color="#333333">Regards</font></div><div><font class="Apple-style-span" color="#333333">Arnab</font></div>