Hi Everyone,<br><br>I appreciate any tips to bring up net-net tunnels in my environment. I am using strongswan 5.0.0.<br>I have the ipsec.conf and ipsec status output below. When I initiate traffic from host in one network to the other, I don't see IKE packets and no tunnels get established.I do see duplicate security policy (SP) installed for one direction (total 3 policies) which is unusual. I appreciate any tips why I see duplicate SP and how to resolve the issue. The SP (setkey -DP) output from the one vpn box is also below. I observe a similar behavior on the other vpn box. When I use "auto=start", the behavior is not consistent. Occasional tunnels get established but I can't pass traffic from end hosts.<br>
<br>root@jordan:~# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.34, x86_64):<br> uptime: 3 seconds, since Sep 19 12:35:05 2012<br> malloc: sbrk 270336, mmap 0, used 258480, free 11856<br> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0<br>
loaded plugins: charon random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic xauth-eap openssl sha1 fips-prf eap-mschapv2 eap-radius eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-identity<br>
Listening IP addresses:<br> 172.16.20.2<br> 172.16.40.2<br> 15.255.125.181<br>Connections:<br> net-net: 172.16.20.2...172.16.20.3 IKEv2<br> net-net: local: [<a href="http://main.com">main.com</a>] uses pre-shared key authentication<br>
net-net: remote: [<a href="http://branch.com">branch.com</a>] uses pre-shared key authentication<br> net-net: child: <a href="http://172.16.40.10/32">172.16.40.10/32</a> === <a href="http://172.16.50.10/32">172.16.50.10/32</a> TUNNEL<br>
Routed Connections:<br> net-net{1}: ROUTED, TUNNEL<br> net-net{1}: <a href="http://172.16.40.10/32">172.16.40.10/32</a> === <a href="http://172.16.50.10/32">172.16.50.10/32</a><br>Security Associations (0 up, 0 connecting):<br>
none<br><br><span style="color:rgb(255,0,0)">=======duplicate SP for one direction================</span><br>root@jordan:~# setkey -DP<br>172.16.50.10[any] 172.16.40.10[any] any<br> any priority=3843 index=0x800003a2 ipsec<br>
esp/tunnel/172.16.20.3-172.16.20.2/unique:1<br> created: Sep 19 12:35:05 2012 lastused:<br> lifetime: 0(s) validtime: 0(s)<br> spid=0x800003a2 seq=1 pid=23287<br> refcnt=2<br> vrfid=0 linkvrfid=0<br>
172.16.50.10[any] 172.16.40.10[any] any<br> in priority=3843 index=0x80000398 ipsec<br> esp/tunnel/172.16.20.3-172.16.20.2/unique:1<br> created: Sep 19 12:35:05 2012 lastused:<br> lifetime: 0(s) validtime: 0(s)<br>
spid=0x80000398 seq=2 pid=23287<br> refcnt=2<br> vrfid=0 linkvrfid=0<br>172.16.40.10[any] 172.16.50.10[any] any<br> out priority=3843 index=0x80000391 ipsec<br> esp/tunnel/172.16.20.2-172.16.20.3/unique:1<br>
created: Sep 19 12:35:05 2012 lastused:<br> lifetime: 0(s) validtime: 0(s)<br> spid=0x80000391 seq=3 pid=23287<br> refcnt=2<br> vrfid=0 linkvrfid=0<br>=====<br># /etc/ipsec.conf <br><br>
config setup<br><br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> authby=secret<br> mobike=no<br><br>conn net-net<br> keyexchange=ikev2<br>
left=172.16.20.2<br> leftsubnet=<a href="http://172.16.40.10/32">172.16.40.10/32</a><br> leftid=@<a href="http://main.com">main.com</a><br> right=172.16.20.3<br> rightsubnet=<a href="http://172.16.50.10/32">172.16.50.10/32</a><br>
rightid=@<a href="http://branch.com">branch.com</a><br> auto=route<br><br>======<br><br>Thanks! <br>Jordan.<br><br><br>