<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi,</div>
<div> </div>
<div>I am testing a simple scenario using ikev2. The setup is as follows:</div>
<div> </div>
<div>(Traffic generator2)30.0.0.1-------(30.0.0.2)node2(20.0.0.1)----------(20.0.0.2)node1(40.0.0.1)------------40.0.0.2(Traffic generator1)</div>
<div> eth2 eth3 eth2</div>
<div> (vlan201)</div>
<div> </div>
<div>Node1:</div>
<div># ipsec.conf</div>
<div> </div>
<div>config setup</div>
<div> charonstart=yes</div>
<div> plutostart=no</div>
<div> uniqueids=no</div>
<div> charondebug="knl 0,enc 0,net 0"</div>
<div>conn %default</div>
<div> auto=route</div>
<div> keyexchange=ikev2</div>
<div> reauth=no</div>
<div>conn r2~v2</div>
<div> rekeymargin=150</div>
<div> rekeyfuzz=100%</div>
<div> left=20.0.0.2</div>
<div> right=20.0.0.1</div>
<div> leftsubnet=40.0.0.2/32</div>
<div> rightsubnet=30.0.0.1/32</div>
<div> authby=secret</div>
<div> leftid=20.0.0.2</div>
<div> rightid=%any</div>
<div> ike=aes128-sha1-modp1024!</div>
<div> esp=aes128-sha1!</div>
<div> type=tunnel</div>
<div> ikelifetime=2000s</div>
<div> keylife=1500s</div>
<div> mobike=no</div>
<div> auto=route</div>
<div> reauth=no</div>
<div> </div>
<div>addresses configured:</div>
<div>1. vlan201@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP </div>
<div> link/ether 00:30:64:26:2f:5f brd ff:ff:ff:ff:ff:ff</div>
<div> inet 20.0.0.2/24 brd 20.0.0.255 scope global vlan201</div>
<div> inet6 fe80::30:6400:a26:2f5f/64 scope link </div>
<div> valid_lft forever preferred_lft forever</div>
<div> </div>
<div>2. eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000</div>
<div> link/ether 00:30:64:26:2f:5e brd ff:ff:ff:ff:ff:ff</div>
<div> inet 40.0.0.1/24 brd 40.0.0.255 scope global eth2</div>
<div> inet6 fe80::30:6400:426:2f5e/64 scope link </div>
<div> valid_lft forever preferred_lft forever</div>
<div> </div>
<div> </div>
<div>routes:</div>
<div>40.0.0.0/24 dev eth2 proto kernel scope link src 40.0.0.1 </div>
<div>20.0.0.0/24 dev vlan201 proto kernel scope link src 20.0.0.2 </div>
<div>30.0.0.0/24 via 20.0.0.1 dev vlan201 proto gated</div>
<div> </div>
<div> </div>
<div> </div>
<div>Node2 :</div>
<div># ipsec.conf</div>
<div> </div>
<div>config setup</div>
<div> charonstart=yes</div>
<div> plutostart=no</div>
<div> uniqueids=no</div>
<div> charondebug="knl 0,enc 0,net 0"</div>
<div>conn %default</div>
<div> auto=route</div>
<div> keyexchange=ikev2</div>
<div> reauth=no</div>
<div>conn r2~v2</div>
<div> rekeymargin=150</div>
<div> rekeyfuzz=100%</div>
<div> left=20.0.0.1</div>
<div> right=20.0.0.2</div>
<div> leftsubnet=30.0.0.1/32</div>
<div> rightsubnet=40.0.0.2/32</div>
<div> authby=secret</div>
<div> leftid=20.0.0.1</div>
<div> rightid=%any</div>
<div> ike=aes128-sha1-modp1024!</div>
<div> esp=aes128-sha1!</div>
<div> type=tunnel</div>
<div> ikelifetime=2000s</div>
<div> keylife=1500s</div>
<div> dpdaction=clear</div>
<div> dpddelay=20</div>
<div> mobike=no</div>
<div> auto=route</div>
<div> reauth=no</div>
<div> </div>
<div> </div>
<div>addresses configured:</div>
<div>1. vlan201@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP </div>
<div> link/ether 00:30:64:26:32:02 brd ff:ff:ff:ff:ff:ff</div>
<div> inet 20.0.0.1/24 brd 20.0.0.255 scope global vlan201</div>
<div> inet6 fe80::30:6400:a26:3202/64 scope link </div>
<div> valid_lft forever preferred_lft forever</div>
<div> </div>
<div> </div>
<div>2. eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000</div>
<div> link/ether 00:30:64:26:32:01 brd ff:ff:ff:ff:ff:ff</div>
<div> inet 30.0.0.2/24 brd 30.0.0.255 scope global eth2</div>
<div> inet6 fe80::30:6400:426:3201/64 scope link </div>
<div> valid_lft forever preferred_lft forever</div>
<div> </div>
<div> </div>
<div>routes:</div>
<div>40.0.0.0/24 via 20.0.0.2 dev vlan201 proto gated </div>
<div>20.0.0.0/24 dev vlan201 proto kernel scope link src 20.0.0.1 </div>
<div>30.0.0.0/24 dev eth2 proto kernel scope link src 30.0.0.2</div>
<div> </div>
<div> </div>
<div>In my setup, I am pumping traffic from both ends simultaneously. I see that IKE initiations happen simultaneously from both ends and two pair of SAs are formed instead of one as shown below:</div>
<div> </div>
<div>20.0.0.2 20.0.0.1 </div>
<div> esp mode=tunnel spi=3303990082(0xc4eee342) reqid=1(0x00000001)</div>
<div> E: aes-cbc 2d2d6603 aa9bc830 1c3ee36a d964b1f1</div>
<div> A: hmac-sha1 3889f511 69cd3c4e 6f416739 e5c685cc 3f316067</div>
<div> seq=0x00000000 replay=64 flags=0x00000000 state=mature </div>
<div> created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div> diff: 24(s) hard: 300(s) soft: 268(s)</div>
<div> last: Jan 23 20:22:13 2015 hard: 0(s) soft: 0(s)</div>
<div> current: 285648670(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div> allocated: 283945 hard: 0 soft: 0</div>
<div> sadb_seq=1 pid=24064 refcnt=0</div>
<div>20.0.0.1 20.0.0.2 </div>
<div> esp mode=tunnel spi=3422609051(0xcc00de9b) reqid=1(0x00000001)</div>
<div> E: aes-cbc 37be21d3 79d00867 968bcc4e 21c3a5c8</div>
<div> A: hmac-sha1 f46a45e7 c3b90b4e 20e3e68e 782a8b48 5d2d7758</div>
<div> seq=0x00000000 replay=64 flags=0x00000000 state=mature </div>
<div> created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div> diff: 24(s) hard: 300(s) soft: 265(s)</div>
<div> last: hard: 0(s) soft: 0(s)</div>
<div> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div> allocated: 0 hard: 0 soft: 0</div>
<div> sadb_seq=2 pid=24064 refcnt=0</div>
<div>20.0.0.2 20.0.0.1 </div>
<div> esp mode=tunnel spi=3272081281(0xc307ff81) reqid=2(0x00000002)</div>
<div> E: aes-cbc 6c9cbd30 0aa302bb 9741ca7f 231ce550</div>
<div> A: hmac-sha1 9c21160b a03990f5 a07d2c29 a18d8b7f 02c020a7</div>
<div> seq=0x00000000 replay=64 flags=0x00000000 state=mature </div>
<div> created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div> diff: 24(s) hard: 300(s) soft: 264(s)</div>
<div> last: Jan 23 20:22:13 2015 hard: 0(s) soft: 0(s)</div>
<div> current: 20120(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div> allocated: 20 hard: 0 soft: 0</div>
<div> sadb_seq=3 pid=24064 refcnt=0</div>
<div>20.0.0.1 20.0.0.2 </div>
<div> esp mode=tunnel spi=3466205953(0xce9a1b01) reqid=2(0x00000002)</div>
<div> E: aes-cbc 465a0a5f 454ffbcc d4a63bf7 f3f102e5</div>
<div> A: hmac-sha1 36cefc1d 6c9729fe 4a142a0d 66033097 4b6e9d3a</div>
<div> seq=0x00000000 replay=64 flags=0x00000000 state=mature </div>
<div> created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div> diff: 24(s) hard: 300(s) soft: 261(s)</div>
<div> last: Jan 23 20:22:13 2015 hard: 0(s) soft: 0(s)</div>
<div> current: 285656718(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div> allocated: 283953 hard: 0 soft: 0</div>
<div> sadb_seq=0 pid=24064 refcnt=0</div>
<div> </div>
<div> </div>
<div>Due to this there is a 100% traffic drop seen at both ends. I referred to a similar query posted - <a href="https://lists.strongswan.org/pipermail/users/2012-October/003765.html"><font color="blue"><u>https://lists.strongswan.org/pipermail/users/2012-October/003765.html</u></font></a>
but no conclusion was drawn out of that. </div>
<div> </div>
<div>According to my investigation, the two nodes are using different set of SAs for communication resulting in the problem. tcpdump of the packets flowing is as below:</div>
<div> </div>
<div>20:23:48.400585 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556a), length 1044</div>
<div>20:23:48.400629 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115573), length 1044</div>
<div>20:23:48.400669 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556b), length 1044</div>
<div>20:23:48.400713 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115574), length 1044</div>
<div>20:23:48.400752 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556c), length 1044</div>
<div>20:23:48.400796 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115575), length 1044</div>
<div>20:23:48.400836 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556d), length 1044</div>
<div>20:23:48.400881 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115576), length 1044</div>
<div>20:23:48.400919 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556e), length 1044</div>
<div>20:23:48.400963 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115577), length 1044</div>
<div>20:23:48.401003 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556f), length 1044</div>
<div>20:23:48.401047 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115578), length 1044</div>
<div> </div>
<div> </div>
<div>Is there any fix to this issue. The scenario of simultaneous ike initiations happening for the first time when tunnel is being established is something which is not addressed I feel. </div>
<div> </div>
<div> </div>
<div>Regards</div>
<div>Suhas Krishna</div>
<div> </div>
</span></font>
</body>
</html>