<div>Hi Again,</div>
<div> </div>
<div>Can any one please explain why strongSwan 5.0.0 IKEv1 installs two tunnels but only one with IKEv2? Is this expected behaviour ?</div>
<div> </div>
<div>Thanks!</div>
<div> </div>
<div>Jordan.<br></div>
<div class="gmail_quote">On Wed, Jul 4, 2012 at 3:59 PM, yordanos beyene <span dir="ltr"><<a href="mailto:yordanosb@gmail.com" target="_blank">yordanosb@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
<div>Hi,</div>
<div> </div>
<div>I created <strong>site-to-site</strong> vpn with strongSwan 5.0.0. IKEv1 installs duplicate tunnels but IKEv2 works as expected.</div>
<div>See my configuration and ipsec statusall output for both scenarios. Please advise if the IKEv1 output is expected or if there is any change I need to make in my configuration.</div>
<div> </div>
<div>strongswan is running on two centos machines, and my end hosts are win7. I initiated the IKE negotiation by staring ping from one win7 host to other.</div>
<div> </div>
<div><strong>=====IKEv1 configuration and ipsec statusall=====</strong></div>
<div><strong>ipsec.conf for centos1</strong></div>
<div># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> #plutodebug=control<br> #plutostart=no</div>
<div>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m</div>
<div>conn net-net<br> keyingtries=1<br> keyexchange=ikev1<br> authby=secret<br> left=172.16.20.1<br> leftsubnet=<a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br> <a href="mailto:leftid=@centos1.test.net" target="_blank">leftid=@centos1.test.net</a><br>
leftfirewall=no<br> right=172.16.20.2<br> rightsubnet=<a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a><br> <a href="mailto:rightid=@centos2.test.net" target="_blank">rightid=@centos2.test.net</a><br>
auto=route<br></div>
<div>
<div>
<div><strong>ipsec.conf for centos2</strong></div></div></div>
<div> # ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration<br>config setup<br> #plutodebug=control<br> #plutostart=no</div>
<div>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m</div>
<div>conn net-net<br> keyingtries=1<br> keyexchange=ikev1<br> authby=secret<br> left=172.16.20.2<br> leftsubnet=<a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a><br> <a href="mailto:leftid=@centos2.test.net" target="_blank">leftid=@centos2.test.net</a><br>
leftfirewall=no<br> right=172.16.20.1<br> rightsubnet=<a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br> <a href="mailto:rightid=@centos1.test.net" target="_blank">rightid=@centos1.test.net</a><br>
auto=route</div>
<div> </div>
<div><strong>centos1 ipsecstatusall output</strong></div>
<div>[root@centos-01 ~]# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, i686):<br> uptime: 65 seconds, since Jul 04 12:58:34 2012<br>... </div>
<div>Listening IP addresses:<br> 172.16.20.1<br> 172.16.50.1<br> 192.168.0.114<br>Connections:<br> net-net: 172.16.20.1...172.16.20.2 IKEv1<br> net-net: local: [<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>] uses pre-shared key authentication<br>
net-net: remote: [<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>] uses pre-shared key authentication<br> net-net: child: <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> === <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> TUNNEL<br>
Routed Connections:<br> net-net{1}: ROUTED, TUNNEL<br> net-net{1}: <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> === <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a><br>Security Associations (1 up, 0 connecting):<br>
net-net[1]: ESTABLISHED 26 seconds ago, 172.16.20.1[<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>]...172.16.20.2[<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>]<br> net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i* 2d73a82503c8ba33_r, pre-shared key reauthentication in 54 minutes<br>
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br> <strong>net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c3287b68_i c7445ee4_o<br></strong> net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 1020 bytes_o (1s ago), rekeying in 15 minutes<br>
net-net{1}: <a href="http://172.16.50.10/32%5Bicmp/8%5D" target="_blank">172.16.50.10/32[icmp/8]</a> === <a href="http://172.16.60.10/32%5Bicmp%5D" target="_blank">172.16.60.10/32[icmp]</a><br> <strong>net-net{2}: INSTALLED, TUNNEL, ESP SPIs: ccd6a57c_i c71087c5_o<br>
</strong> net-net{2}: AES_CBC_128/HMAC_SHA1_96, 960 bytes_i (1s ago), 0 bytes_o, rekeying in 14 minutes<br> net-net{2}: <a href="http://172.16.50.10/32%5Bicmp%5D" target="_blank">172.16.50.10/32[icmp]</a> === <a href="http://172.16.60.10/32%5Bicmp%5D" target="_blank">172.16.60.10/32[icmp]</a><br>
</div>
<div>
<div><strong>centos2 ipsecstatusall output:</strong></div>
<div>[root@centos-02 ~]# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, i686):<br> uptime: 39 seconds, since Jul 04 12:58:45 2012<br>... </div>
<div>Listening IP addresses:<br> 172.16.20.2<br> 172.16.60.1<br> 192.168.0.115<br>Connections:<br> net-net: 172.16.20.2...172.16.20.1 IKEv1<br> net-net: local: [<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>] uses pre-shared key authentication<br>
net-net: remote: [<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>] uses pre-shared key authentication<br> net-net: child: <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> === <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> TUNNEL<br>
Routed Connections:<br> net-net{1}: ROUTED, TUNNEL<br> net-net{1}: <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> === <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br>Security Associations (1 up, 0 connecting):<br>
net-net[1]: ESTABLISHED 18 seconds ago, 172.16.20.2[<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>]...172.16.20.1[<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>]<br> net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i 2d73a82503c8ba33_r*, pre-shared key reauthentication in 54 minutes<br>
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br> <strong> net-net{2}: INSTALLED, TUNNEL, ESP SPIs: c7445ee4_i c3287b68_o<br></strong> net-net{2}: AES_CBC_128/HMAC_SHA1_96, 660 bytes_i (0s ago), 0 bytes_o, rekeying in 14 minutes<br>
net-net{2}: <a href="http://172.16.60.10/32%5Bicmp%5D" target="_blank">172.16.60.10/32[icmp]</a> === <a href="http://172.16.50.10/32%5Bicmp/8%5D" target="_blank">172.16.50.10/32[icmp/8]</a><br> <strong>net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c71087c5_i ccd6a57c_o<br>
</strong> net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 600 bytes_o (0s ago), rekeying in 14 minutes<br> net-net{1}: <a href="http://172.16.60.10/32%5Bicmp%5D" target="_blank">172.16.60.10/32[icmp]</a> === <a href="http://172.16.50.10/32%5Bicmp%5D" target="_blank">172.16.50.10/32[icmp]</a><br>
</div>
<div>
<div><strong>=====IKEv2 configuration and ipsec statusall=====</strong></div>
<div>
<div><strong>ipsec.conf for centos1 and centos2</strong></div>
<div>ipsec.conf for centos1 and centos 2 is identical to IKEv1 configuration with the exception that "keyexchange=ikev2" instead of "keyexchange=ikev1"<br></div>
<div><strong>centos1 ipsecstatusall output:</strong></div></div>
<div>[root@centos-01 ~]# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, i686):<br> uptime: 52 seconds, since Jul 04 13:03:28 2012<br>.... </div>
<div>Listening IP addresses:<br> 172.16.20.1<br> 172.16.50.1<br> 192.168.0.114<br>Connections:<br> net-net: 172.16.20.1...172.16.20.2 IKEv2<br> net-net: local: [<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>] uses pre-shared key authentication<br>
net-net: remote: [<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>] uses pre-shared key authentication<br> net-net: child: <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> === <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> TUNNEL<br>
Routed Connections:<br> net-net{1}: ROUTED, TUNNEL<br> net-net{1}: <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> === <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a><br>Security Associations (1 up, 0 connecting):<br>
net-net[1]: ESTABLISHED 14 seconds ago, 172.16.20.1[<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>]...172.16.20.2[<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>]<br> net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i* cb94400f15735d88_r, pre-shared key reauthentication in 51 minutes<br>
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br> <strong> net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c3ea4626_i cd83b323_o<br></strong> net-net{1}: AES_CBC_128/HMAC_SHA1_96, 600 bytes_i (0s ago), 600 bytes_o (0s ago), rekeying in 13 minutes<br>
net-net{1}: <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> === <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a><br>===</div>
<div> </div>
<div>
<div><strong>centos2 ipsecstatusall output:</strong></div></div>
<div>[root@centos-02 ~]# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, i686):</div>
<div> uptime: 87 seconds, since Jul 04 13:03:45 2012<br>... </div>
<div>Listening IP addresses:<br> 172.16.20.2<br> 172.16.60.1<br> 192.168.0.115<br>Connections:<br> net-net: 172.16.20.2...172.16.20.1 IKEv2<br> net-net: local: [<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>] uses pre-shared key authentication<br>
net-net: remote: [<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>] uses pre-shared key authentication<br> net-net: child: <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> === <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> TUNNEL<br>
Routed Connections:<br> net-net{1}: ROUTED, TUNNEL<br> net-net{1}: <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> === <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br>Security Associations (1 up, 0 connecting):<br>
net-net[1]: ESTABLISHED 75 seconds ago, 172.16.20.2[<a href="http://centos2.test.net/" target="_blank">centos2.test.net</a>]...172.16.20.1[<a href="http://centos1.test.net/" target="_blank">centos1.test.net</a>]<br> net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i cb94400f15735d88_r*, pre-shared key reauthentication in 53 minutes<br>
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br> <strong> net-net{2}: INSTALLED, TUNNEL, ESP SPIs: cd83b323_i c3ea4626_o<br></strong> net-net{2}: AES_CBC_128/HMAC_SHA1_96, 4140 bytes_i (1s ago), 4140 bytes_o (1s ago), rekeying in 13 minutes<br>
net-net{2}: <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> === <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br></div>
<div> </div>
<div>Thanks you!</div>
<div> </div>
<div>Jordan.</div></div></div></blockquote></div><br>