[strongSwan-dev] [strongswan]: Multiple IKE SA and IPSEC SA for single connection after DPD

jegathesh malaiyappan mjegakathir at gmail.com
Tue Apr 9 16:01:03 CEST 2013 

Hi,



Strongswan: 4.5.3



Multiple IKE SA and Child SA created for single connection after DPD.



Is this expected behavior in strongswan? Is there any solution for this
issue?


Please help me on this.



Node A ---------------------------------------------------------- Node B

(Initiator)
                                                         (Responder)



i)                    IKE SA and Child SA created successfully.

ii)                   After sometime, I am dowing the interface in Node B

iii)                 DPD detected in Node A and Node B

iv)                 Now, I am enabling the interface in Node B.

v)                  Now, I can see multiple IKE and Child SA created.



<snip>



Security Associations (2 up, 0 connecting):

       conn2[2]: ESTABLISHED 30 seconds ago, 11.1.1.10...11.1.1.1

       conn2[2]: IKE SPIs: c758776e4d859a4d_i* c56456dab2c92f5b_r, rekeying
in 23 hours

       conn2[2]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

       conn2{2}:  INSTALLED, TUNNEL, ESP SPIs: caca238b_i c53e6b15_o

       conn2{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 23 hours

       conn2{2}:   3.3.3.0/24 === 2.2.2.0/24

       conn2[3]: ESTABLISHED 40 seconds ago, 11.1.1.10...11.1.1.1

       conn2[3]: IKE SPIs: 3897913d0b314352_i fa4587e51953c26b_r*, rekeying
in 23 hours

       conn2[3]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

       conn2{3}:  INSTALLED, TUNNEL, ESP SPIs: cc44fadf_i c685d6fe_o

       conn2{3}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 23 hours

       conn2{3}:   3.3.3.0/24 === 2.2.2.0/24

linux-an0c:~ #



conn conn2

  type=tunnel

  rightsubnet=2.2.2.2/24

  leftsubnet=3.3.3.3/24

  right=11.1.1.1

  left=11.1.1.10

  keyexchange=ikev2

  reauth=no

  ike=aes128-sha1-modp1024,3des-sha1-modp1024!

  ikelifetime=83796s

  esp=aes128-sha1,3des-sha1!

  authby=pubkey

  rightid=%any

  keylife=86400s

  dpdaction=restart

  dpddelay=10

  dpdtimeout=120

  rekeyfuzz=50%

  rekeymargin=180s



</snip>



Thanks.



Regards,

Jegathesh.M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130409/8840bf09/attachment.html>

More information about the Dev mailing list