<div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial"><div>======= ========= ========<br> | AP | <====================> | router|<====================> | GW |<br>======= ========= ========<br>First all, CHILD_SA fap-psk is established between AP and GW. And the GW show me such message:<br>******************************************************<br>Jan 31 19:44:47 (none) daemon.info charon: 78[IKE] CHILD_SA fap-psk{3} established with SPIs ca0b653f_i c1c43dbb_o and TS 10.1.0.0/16 172.16.15.0/24 === 10.23.100.1/32 <br>Jan 31 19:44:47 (none) authpriv.info charon: 78[IKE] CHILD_SA fap-psk{3} established with SPIs ca0b653f_i c1c43dbb_o and TS 10.1.0.0/16 172.16.15.0/24 === 10.23.100.1/32 <br>******************************************************</div>
<div>Then, I let the AP restart. I found the IPsec tunnel could not be established as usual. And I check the message of GW:<br>******************************************************<br>Jan 31 19:49:18 (none) daemon.info charon: 130[KNL] unable to add SAD entry with SPI c1c43dbb: File exists (17) <br>Jan 31 19:49:18 (none) daemon.info charon: 130[IKE] unable to install outbound IPsec SA (SAD) in kernel <br>******************************************************<br>The SPI c1c43dbb is the same with last time.<br>But a minute later, the AP send init packet for IPsec again. This time, they can establish IPsec tunnel with another SPI.</div>
<div>And my questions are:<br>1, After being restarted, is the AP sending the same SPI allowed?<br>2,Why they could not establish IPsec tunnel with the same SPI?<br>3, can they not establish IPsec tunnel all the time, If the AP always send the same SPI to GW ? How to avoid this situation?</div>
<div> </div>
<div>thx~~<br></div></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span>