<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>can anyone tell me the reason why my client initiates multiple
tunnels over the time (it's an always on site-to-site VPN). The
longer the ipsec daemon is runing the more tunnels are "opened". I
think I have an error in dpdaction or in closeaction, but I tried
several configrations but nothing changes...</p>
<p>Client /etc/ipsec.conf:</p>
<p>config setup<br>
charondebug="ike 0, esp 0, cfg 0, chd 0, mgr 0, net 0, knl 0"<br>
uniqueids=yes<br>
<br>
conn server<br>
authby=secret<br>
left=%defaultroute<br>
leftid=michael.client<br>
leftsubnet=10.20.3.0/24<br>
right=<DNS-Name_of_public_IP_of_the_server><br>
rightid=michael.server<br>
rightsubnet=10.20.50.0/24,10.20.20.0/24,10.20.21.0/24<br>
keyingtries=0<br>
ikelifetime=1h<br>
lifetime=8h<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
closeaction=restart<br>
auto=route</p>
<p>Client /etc/ipsec.secret:</p>
<p> </p>
<p style="margin-bottom: 0cm; line-height: 100%">
michael.client michael.server : PSK "<long_PSK>"</p>
<p><br>
</p>
<p>Server /etc/ipsec.conf:</p>
<p>config setup<br>
uniqueids=yes<br>
charondebug="ike 0, esp 0, cfg 0, chd 0, mgr 0, net 0, knl 0"<br>
<br>
conn client<br>
authby=secret<br>
left=%defaultroute<br>
leftid=michael.server<br>
leftsubnet=10.20.50.0/24,10.20.20.0/24,10.20.21.0/24<br>
right=%any<br>
rightid=michael.client<br>
rightsubnet=10.20.3.0/24<br>
keyingtries=0<br>
ikelifetime=1h<br>
lifetime=8h<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
auto=add</p>
<p>Server /etc/ipsec.secret:</p>
<p> </p>
<p style="margin-bottom: 0cm; line-height: 100%">
michael.server michael.client : PSK "<long_PSK>"</p>
<p><br>
</p>
<p>It results in this (output of ipsec statusall):</p>
<p>client[5674]: ESTABLISHED 24 minutes ago,
<public_IP_of_Sever>[michael.server]...<public_IP_of_client>[michael.client]<br>
client[5674]: IKEv2 SPIs: 8950919e6207c9d9_i d2e3c1da7991f1c6_r*,
pre-shared key reauthentication in 20 minutes<br>
client[5674]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072<br>
client{7455}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
cfad6344_i ca727d46_o<br>
client{7455}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7455}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7456}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
cb519378_i c89244b9_o<br>
client{7456}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7456}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7457}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
c30d0ccc_i cdcf32ec_o<br>
client{7457}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7457}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7458}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
c1debb15_i c48082fa_o<br>
client{7458}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7458}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7459}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
c1a99a37_i c8322764_o<br>
client{7459}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7459}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7460}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
c3650305_i c7f2a153_o<br>
client{7460}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7460}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7461}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
cb5b9c7f_i c11d540c_o<br>
client{7461}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7461}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7462}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
cccd97f6_i c204b59e_o<br>
client{7462}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7462}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7463}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
cda71516_i c15e8fbb_o<br>
client{7463}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7463}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7464}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
c807efda_i c7434b3d_o<br>
client{7464}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours<br>
client{7464}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 ===
10.20.3.0/24<br>
client{7465}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
c81105c5_i cd834cc2_o<br>
client{7465}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours</p>
<p><br>
</p>
<p>After Restart of the deamon I have one time:<br>
</p>
<p>client{7465}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs:
c81105c5_i cd834cc2_o<br>
client{7465}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts,
27s ago), 0 bytes_o, rekeying in 7 hours</p>
<p>But after hours/days I have "hundreds" of these tunnels and they
are getting more and more until I restart the deamon (on the
client).</p>
<p>Why does this happen?</p>
<p>What would be the correct dpdaction or closeaction (if this is
the problem).</p>
<p>Client Site is on an DSL-Connection, which restarts every night,
it doesn't matter, if the IP address changes or not. Server has a
fix IP address and is alway online.</p>
<p>I have 8 "Client-Sites" to the same server and every Connection
behaves like this (of course because I use the same config with
different right/left ids and PSKs with different subnets for every
connection).</p>
<p>If you have suggestions for a better config for an always on VPN,
please let me know.<br>
</p>
<p>Thanks for your help.</p>
<p>Jens</p>
<p>
<style type="text/css">p { margin-bottom: 0.25cm; line-height: 115%; background: transparent none repeat scroll 0% 0%; }a:link { color: rgb(0, 0, 128); text-decoration: underline; }a:visited { color: rgb(128, 0, 0); text-decoration: underline; }</style></p>
<p>
<style type="text/css">p { margin-bottom: 0.25cm; line-height: 115%; background: transparent none repeat scroll 0% 0%; }a:link { color: rgb(0, 0, 128); text-decoration: underline; }a:visited { color: rgb(128, 0, 0); text-decoration: underline; }</style></p>
<p>
<style type="text/css">p { margin-bottom: 0.25cm; line-height: 115%; background: transparent none repeat scroll 0% 0%; }a:link { color: rgb(0, 0, 128); text-decoration: underline; }a:visited { color: rgb(128, 0, 0); text-decoration: underline; }</style></p>
<pre class="moz-signature" cols="72">--
JKG IT-Services UG (haftungsbeschränkt)
Moltkestr. 31
76344 Eggenstein-Leopoldshafen
Telefon: 07247 / 9881995-1
Telefax: 07247 / 9881995-9
Mobil: 0176 / 47207343
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:jens.krehbiel-graether@jkg-it-services.de">jens.krehbiel-graether@jkg-it-services.de</a>
Internet: <a class="moz-txt-link-freetext" href="http://www.jkg-it-services.de/">http://www.jkg-it-services.de/</a>
Sitz der Gesellschaft: Eggenstein-Leopoldshafen
Registergericht: AG Mannheim
Handelsregisternummer: HRB 705813
Ust-Id-Nr.: DE265602472
Geschäftsführer: Jens Krehbiel-Gräther</pre>
</body>
</html>