<p>Hi,</p>
<p> </p>
<p>Sure. I now use "Linux strongSwan U5.6.0/K3.16.0-4-amd64", but the issue is still here.</p>
<p> </p>
<p>Please find attached the following files : ipsec.conf, charon_debug.childsa_issue.log & the connexion configuration used via VICI.</p>
<p> </p>
<p>Tell me if you need anything more. In the mean time, I'll dig a bit more into these files.</p>
<p> </p>
<p>thanks,</p>
<p> </p>
<p>Régis</p>
<p> </p>
<p>-----------------</p>
<p>Hi,<br /><br />Please provide your configuration and a log of the connection as described on the HelpRequests page[1] . There are multiple reasons this<br />problem can occur.<br /><br />Kind regards<br /><br />Noel<br /><br />[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests<br /><br />On 04.09.2017 14:39, Sarefrech wrote:<br />><br />> Hi all,<br />><br />> <br />><br />> I used "Linux strongSwan U5.5.3/K3.16.0-4-amd64".<br />><br />> <br />><br />> I have two connexion definitions with 2 child SAs each. The first one come from ipsec.conf , the second is created via VICI:<br />><br />> root@ipsec-gw:/usr/local/src# swanctl --list-conns<br />> *default_cert1*: IKEv2, reauthentication every 3420s, no rekeying<br />> local: %any<br />> remote: %any<br />> local public key authentication:<br />> id: u2agw.u2a.xyz<br />> remote public key authentication:<br />> *default_cert1*: TUNNEL, rekeying every 1020s<br />> local: 10.11.0.0/16<br />> remote: dynamic<br />> *default_cert*: TUNNEL, rekeying every 1020s<br />> local: 10.10.0.0/16<br />> remote: dynamic<br />> *defautVici*: IKEv2, no reauthentication, no rekeying<br />> local: 161.106.240.155<br />> remote: %any<br />> local public key authentication:<br />> id: u2agw.u2a.xyz<br />> remote EAP_RADIUS authentication:<br />> eap_id: %any<br />> *child1*: TUNNEL, rekeying every 100s<br />> local: 1.1.1.1/32 10.0.0.0/8<br />> remote: dynamic<br />> *child2*: TUNNEL, rekeying every 100s<br />> local: 2.2.2.5/32<br />> remote: dynamic<br />><br />> I setup tunnels and I observe that there is only one child ca for each connexion : one is not missing.<br />><br />> root@ipsec-gw:/usr/local/src# swanctl --list-sas<br />> *default_cert1*: #6, ESTABLISHED, IKEv2, 9ced70a70cbacaea_i 394dc6781ed773a6_r*<br />> local 'u2agw.u2a.xyz' @ 161.106.240.155[4500]<br />> remote 'CN=max.min, OU=u2aUsers, DC=u2a, DC=xyz' @ 161.106.240.156[47841] [10.11.12.162]<br />> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256<br />> established 6s ago, reauth in 3336s<br />> *default_cert1*: #5, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128<br />> installed 5s ago, rekeying in 889s, expires in 1195s<br />> in c3d7921a, 336 bytes, 4 packets, 0s ago<br />> out e7757320, 336 bytes, 4 packets, 0s ago<br />> local 10.11.0.0/16<br />> remote 10.11.12.162/32<br />> *defautVici*: #4, ESTABLISHED, IKEv2, 927ad63611b5b535_i f7a4b615d62bfcd6_r*<br />> local 'u2agw.u2a.xyz' @ 161.106.240.155[4500]<br />> remote 'joe.bar' @ 161.106.240.156[42859] [10.11.12.151]<br />> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256<br />> established 11s ago<br />> *child1*: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128<br />> installed 10s ago, rekeying in 80s, expires in 100s<br />> in c53f5289, 0 bytes, 0 packets<br />> out d0249916, 0 bytes, 0 packets<br />> local 1.1.1.1/32 10.0.0.0/8<br />> remote 10.11.12.151/32<br />><br />> From the documentation & mail exchanges on the list, I understand that strongswan GW is supposed to handle multiple child sas.<br />><br />> Do I miss something or this could be a kind of bug in last versions?<br />><br />> <br />><br />> thanks,<br />><br />><br />> Régis<br />></p>