<p>Hi all,</p>
<p> </p>
<p>I used "Linux strongSwan U5.5.3/K3.16.0-4-amd64".</p>
<p> </p>
<p>I have two connexion definitions with 2 child SAs each. The first one come from ipsec.conf , the second is created via VICI:</p>
<p style="padding-left: 30px;">root@ipsec-gw:/usr/local/src# swanctl --list-conns<br /><strong>default_cert1</strong>: IKEv2, reauthentication every 3420s, no rekeying<br /> local: %any<br /> remote: %any<br /> local public key authentication:<br /> id: u2agw.u2a.xyz<br /> remote public key authentication:<br /> <strong>default_cert1</strong>: TUNNEL, rekeying every 1020s<br /> local: 10.11.0.0/16<br /> remote: dynamic<br /> <strong>default_cert</strong>: TUNNEL, rekeying every 1020s<br /> local: 10.10.0.0/16<br /> remote: dynamic<br /><strong>defautVici</strong>: IKEv2, no reauthentication, no rekeying<br /> local: 161.106.240.155<br /> remote: %any<br /> local public key authentication:<br /> id: u2agw.u2a.xyz<br /> remote EAP_RADIUS authentication:<br /> eap_id: %any<br /> <strong>child1</strong>: TUNNEL, rekeying every 100s<br /> local: 1.1.1.1/32 10.0.0.0/8<br /> remote: dynamic<br /> <strong>child2</strong>: TUNNEL, rekeying every 100s<br /> local: 2.2.2.5/32<br /> remote: dynamic<br /><br /></p>
<p>I setup tunnels and I observe that there is only one child ca for each connexion : one is not missing.</p>
<p style="padding-left: 30px;">root@ipsec-gw:/usr/local/src# swanctl --list-sas<br /><strong>default_cert1</strong>: #6, ESTABLISHED, IKEv2, 9ced70a70cbacaea_i 394dc6781ed773a6_r*<br /> local 'u2agw.u2a.xyz' @ 161.106.240.155[4500]<br /> remote 'CN=max.min, OU=u2aUsers, DC=u2a, DC=xyz' @ 161.106.240.156[47841] [10.11.12.162]<br /> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256<br /> established 6s ago, reauth in 3336s<br /> <strong>default_cert1</strong>: #5, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128<br /> installed 5s ago, rekeying in 889s, expires in 1195s<br /> in c3d7921a, 336 bytes, 4 packets, 0s ago<br /> out e7757320, 336 bytes, 4 packets, 0s ago<br /> local 10.11.0.0/16<br /> remote 10.11.12.162/32<br /><strong>defautVici</strong>: #4, ESTABLISHED, IKEv2, 927ad63611b5b535_i f7a4b615d62bfcd6_r*<br /> local 'u2agw.u2a.xyz' @ 161.106.240.155[4500]<br /> remote 'joe.bar' @ 161.106.240.156[42859] [10.11.12.151]<br /> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256<br /> established 11s ago<br /> <strong>child1</strong>: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128<br /> installed 10s ago, rekeying in 80s, expires in 100s<br /> in c53f5289, 0 bytes, 0 packets<br /> out d0249916, 0 bytes, 0 packets<br /> local 1.1.1.1/32 10.0.0.0/8<br /> remote 10.11.12.151/32<br /><br /></p>
<p>From the documentation & mail exchanges on the list, I understand that strongswan GW is supposed to handle multiple child sas. </p>
<p>Do I miss something or this could be a kind of bug in last versions?</p>
<p> </p>
<p>thanks,</p>
<p><br />Régis</p>