<div dir="ltr"><span style="font-size:12.8000001907349px">Hi Noel,</span><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px">The issue mentioned here is with duplicate SA. Sometimes when we try create 512 tunnels we are encountering this issue. 1 or 2 IKE tunnels are having duplicate child SA's. How to avoid this? Is there any fix available in the latest release?</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px">Regards,</div><div style="font-size:12.8000001907349px">Pavan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 4, 2015 at 1:29 AM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Sriram,<br>
<br>
Please try using "uniqueids=yes".<br>
<br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
Am 02.02.2015 um 09:45 schrieb Sriram Raghunathan:<br>
<div><div class="h5">><br>
> Hi,<br>
><br>
> Reference: Strongswan version 4.5.3.<br>
><br>
> Currently, I'm debugging a problem with the above version of<br>
> strongswan software installed on some of the hardwares and the<br>
> security gateway.<br>
><br>
> The problem is, I see<br>
> "multiple tunnel's being established for a single ike sa". Somehow<br>
> feel its a race condition in the strongswan code. The problem is<br>
> seen when trying to establish close to 200 tunnels. Below is the<br>
> config I'm trying with. Could you please help me out here?<br>
><br>
> The problem seen here below:<br>
><br>
> conn12[262]: ESTABLISHED 8 minutes ago, 172.16.11.7[172.16.11.7]...172.16.11.61[172.16.11.61]<br>
> conn12[262]: IKE SPIs: 61eebfcfbde117bf_i 6939a8f12fc12e91_r*, rekeying in 95 minutes<br>
> conn12[262]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
> -----------------------------------------------------------------------------------------------------<br>
> conn12{245}: INSTALLED, TUNNEL, ESP SPIs: cfdad3fe_i cfc7aea7_o<br>
> conn12{245}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes<br>
> conn12{245}: <a href="http://172.16.11.7/32" target="_blank">172.16.11.7/32</a> === <a href="http://172.100.7.0/24" target="_blank">172.100.7.0/24</a><br>
> conn12{250}: INSTALLED, TUNNEL, ESP SPIs: ca3fc3e2_i c4be685b_o<br>
> conn12{250}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes<br>
> conn12{250}: <a href="http://172.16.11.7/32" target="_blank">172.16.11.7/32</a> === <a href="http://172.100.7.0/24" target="_blank">172.100.7.0/24</a><br>
> -----------------------------------------------------------------------------------------------------<br>
><br>
> config setup<br>
> plutostart=no<br>
> plutodebug=none<br>
> nat_traversal=yes<br>
> uniqueids=no<br>
> charonstart=yes<br>
> charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1"<br>
><br>
> conn %default<br>
> pfs=no<br>
> installpolicy=yes<br>
> keyingtries=%forever<br>
> mobike=no<br>
><br>
> ------ truncated --------------<br>
> conn conn12<br>
> type=tunnel<br>
> leftsubnet=<a href="http://172.16.11.7/32" target="_blank">172.16.11.7/32</a><br>
> rightsubnet=<a href="http://172.100.7.0/24" target="_blank">172.100.7.0/24</a><br>
> left=172.16.11.7<br>
> right=172.16.11.61<br>
> auto=start<br>
> keyexchange=ikev2<br>
> authby=psk<br>
> reauth=no<br>
> ike=3des-sha1-modp1024!<br>
> ikelifetime=7200<br>
> pfs=no<br>
> esp=3des-sha1-noesn!<br>
> keylife=3600<br>
> dpdaction=clear<br>
> dpddelay=10<br>
> leftprotoport=0<br>
> rightprotoport=0<br>
> rekeyfuzz=100%<br>
> rekeymargin=540s<br>
> ------ truncated --------------<br>
><br>
<br>
</div></div>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJU0SiMAAoJEDg5KY9j7GZYpCYQAI9X/qrvKp9TMNa1Pw5CD47H<br>
O86Y9Ya3Qqaz/ISAX8eG3V7OeMp828zYmAwww5L+KCo73hUqzznrpJNZBhOR1bu8<br>
IDg/Lew/Yi6c0wWHS3fFL8xUNHlzKDElycR6Yylhm5t/qBti1Foc3iAFm/ifKgKb<br>
EzNSbKDCR2qKh1tMtr0Ae65RsaP+SiRf97uyDeqhy6CNF+EnkyLHOrUfYtB9ckw6<br>
/sYHB0jN/LaVhvdRksLHfqzNB3gNOH7BxQJvcL3+rYI9vUcrjJhhnHGyfXimaYXI<br>
vkoNoq+qoHGY7+quBXuE6dv/w/Aq34OeOtovyQSXIqup3RJ/MPDBXjr+r8tY+02V<br>
Vf127X6HaLMtRsfzlqWnoX/c+aK4iARg5BB0uAn1IT1dHEFokS2dKboynZ+Q5Orv<br>
gyegfpf1mJKzBbV1GCJsS0yRgOD9U9qrE6drOmBKQOQi/3XqZEvOV4nyMsbei/3M<br>
jqPIw8JCY5d/YKscHIofn61p1Zfkjc2/40c4JJZY5rnpSt662A5y1SBlcru3Dl8R<br>
7yWdPvmbxv3DeGqrUevDTivRaRpYDTVUprVxLsfrJ6s6vjcP7ukMgcwQb86d1KYl<br>
LG/RKav21KuXp1gQZYbC8TsEnr2iWqhsuRPOtchlfEbOEErCY5YvMrNSMaNUN8Hc<br>
tU9zw3hHeA3hPFzYBeqO<br>
=35jM<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></div></div></blockquote></div><br></div>