<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello<br>
<br>
I've a problem where Storngswan seem to add more and more tunnels
for my connection and I can't figure out why.<br>
<br>
I am connecting two sites, one host running Debian Squeeze and the
other Xubuntu 13.10.<br>
<br>
I found someone else having this problem and someone suggested that
it could have something to do with *buntus init scripts so I
disabled those on both ends.<br>
<br>
I have manually started the daemon with<b> ipsec start</b> on both
ends. I have then added the connection with <b>ipsec up tunnelname</b>.<br>
<br>
This works just fine and it gives me one tunnel if I check with <b>ipsec
status</b>. I do how ever after half an hour or so get more and
more active tunnels, and it gets unresponsive.<br>
<br>
I have then tried to end the connection with <b>ipsec down
tunnelname</b>. It does however not go down, it keeps all the
active connections but the tunnel starts to funciton again. This is
something I have to do every 15 minutes or so, quite annoying. =)<br>
<br>
I can't figure out what it is that is going on. Why does Strongswan
add all those extra connections?<br>
<br>
Regards,<br>
Peter<br>
<br>
Left side:<br>
<pre># basic configuration
config setup
strictcrlpolicy=no
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=1
keyexchange=ikev2
mobike=yes
conn tunnelname
left=x.y.z.q
leftcert=firstCert.pem
leftsubnet=10.100.0.0/16
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@my.first.domainname">leftid=@my.first.domainname</a>
leftfirewall=yes
right=q.z.y.x
rightsubnet=10.101.0.0/16
<a class="moz-txt-link-abbreviated" href="mailto:rightid=@my.second.doaimname">rightid=@my.second.doaimname</a>
rightcert=/etc/ipsec.d/certs/secondCert.pem
rightsendcert=never
auto=add
include /var/lib/strongswan/ipsec.conf.inc</pre>
<br>
Right side:<br>
<pre># basic configuration
config setup
strictcrlpolicy=no
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=1
keyexchange=ikev2
mobike=yes
conn tunnelname
left=q.z.y.x
leftcert=secondCert.pem
leftsubnet=10.101.0.0/16
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@my.second.domainname">leftid=@my.second.domainname</a>
right=x.y.z.q
rightsubnet=10.100.0.0/16
<a class="moz-txt-link-abbreviated" href="mailto:rightid=@my.first.domainname">rightid=@my.first.domainname</a>
rightcert=/etc/ipsec.d/certs/firstCert.pem
rightsendcert=never
auto=add
include /var/lib/strongswan/ipsec.conf.inc</pre>
<br>
Just started tunnel<br>
<pre>poe@first:~$ sudo ipsec status
Security Associations:
tunnelname[1]: ESTABLISHED 3 seconds ago, x.y.z.q[my.first.domainname]...q.z.y.x[my.second.domainname]
tunnelname{1}: INSTALLED, TUNNEL, ESP SPIs: c2e79cb7_i cfb3172a_o
tunnelname{1}: 10.100.0.0/16 === 10.101.0.0/16</pre>
After about few hours (44 minutes is not correct)<br>
<pre>poe@first:~$ sudo ipsec status
Security Associations:
tunnelname0[5]: ESTABLISHED 44 minutes ago, x.y.z.q[my.first.domainname]...q.z.y.x[my.second.domainname]
tunnelname{5}: INSTALLED, TUNNEL, ESP SPIs: c0480a2e_i cde1013d_o
tunnelname{5}: 10.100.0.0/16 === 10.101.0.0/16
tunnelname{5}: INSTALLED, TUNNEL, ESP SPIs: cd002eb9_i c0990b03_o
tunnelname{5}: 10.100.0.0/16 === 10.101.0.0/16
tunnelname{5}: INSTALLED, TUNNEL, ESP SPIs: c4fdb6b8_i ca6c70d3_o
tunnelname{5}: 10.100.0.0/16 === 10.101.0.0/16
tunnelname{6}: INSTALLED, TUNNEL, ESP SPIs: c5c0bd22_i c1d1fe31_o
tunnelname{6}: 10.100.0.0/16 === 10.101.0.0/16</pre>
<br>
</body>
</html>