[strongSwan-dev] [Strongswan]: Allowing Duplicate connection

jegathesh malaiyappan mjegakathir at gmail.com
Sat Feb 9 16:31:51 CET 2013 

Hi All,

*Version:* strongSwan 4.5.3

strongswan is creating duplicate SA connection if we are adding the same
connection in *ipsec.conf* file. why strongswan is allowing duplicate
connection? Can't avoid this in strongswan? Please clarify on this.

ipsec.conf:
========
*conn conn1*
  type=tunnel
  leftsubnet=2.2.2.2/24
  rightsubnet=10.10.10.11/24
  left=192.167.10.12
  right=192.167.3.2
  keyexchange=ikev2
 reauth=no
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  ikelifetime=83111s
  esp=aes128-sha1,3des-sha1!
  authby=pubkey
  rightid=%any
  leftid="192.168.255.129"
  keylife=86400s
  dpdaction=restart
  dpddelay=10
  dpdtimeout=120
  rekeyfuzz=50%
  rekeymargin=180s

*conn conn2*
  type=tunnel
  leftsubnet=2.2.2.2/24
  rightsubnet=10.10.10.11/24
  left=192.167.10.12
  right=192.167.3.2
  keyexchange=ikev2
 reauth=no
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  ikelifetime=83111s
  esp=aes128-sha1,3des-sha1!
  authby=pubkey
  rightid=%any
  leftid="192.168.255.129"
  keylife=86400s
  dpdaction=restart
  dpddelay=10
  dpdtimeout=120
  rekeyfuzz=50%
  rekeymargin=180s


Connection Details:
===============
Security Associations (1 up, 0 connecting):
       conn1[202]: ESTABLISHED 3 minutes ago,
192.167.10.12[192.168.255.129]...192.167.3.2
       conn1[202]: IKE SPIs: 8844db848d42913e_i 19c2afa035743af9_r*,
rekeying in 22 hours
       conn1[202]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
       conn1{475}:  INSTALLED, TUNNEL, ESP SPIs: c5cec271_i c62d9719_o
       conn1{475}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 23 hours
       conn1{475}:   2.2.2.0/24 === 10.10.10.0/24
       conn2{476}:  INSTALLED, TUNNEL, ESP SPIs: cdc16950_i c8c47f0d_o
       conn2{476}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 23 hours
       conn2{476}:   2.2.2.0/24 === 10.10.10.0/24


Thanks.
Jegathesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130209/3f05dd73/attachment.html>

More information about the Dev mailing list