[strongSwan-dev] [Strongswan]: Allowing Duplicate connection

Andreas Steffen andreas.steffen at strongswan.org
Sat Feb 9 19:00:14 CET 2013


Hi Jegathesh,

IKEv2 RFC 5996 allows for multiple Child SAs having the same
traffic selectors. If you define two connections having identical
traffic selectors then this is your own personal choice and we
are not going to prevent you from doing this.

Regards

Andreas

On 02/09/2013 04:31 PM, jegathesh malaiyappan wrote:
> Hi All,
> 
> *Version:* strongSwan 4.5.3
> 
> strongswan is creating duplicate SA connection if we are adding the same
> connection in *ipsec.conf* file. why strongswan is allowing duplicate
> connection? Can't avoid this in strongswan? Please clarify on this. 
> 
> ipsec.conf: 
> ========
> *conn conn1*
>   type=tunnel
>   leftsubnet=2.2.2.2/24 <http://2.2.2.2/24>
>   rightsubnet=10.10.10.11/24 <http://10.10.10.11/24>
>   left=192.167.10.12
>   right=192.167.3.2
>   keyexchange=ikev2
>  reauth=no
>   ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>   ikelifetime=83111s
>   esp=aes128-sha1,3des-sha1!
>   authby=pubkey
>   rightid=%any
>   leftid="192.168.255.129"
>   keylife=86400s
>   dpdaction=restart
>   dpddelay=10
>   dpdtimeout=120
>   rekeyfuzz=50%
>   rekeymargin=180s
> 
> *conn conn2*
>   type=tunnel
>   leftsubnet=2.2.2.2/24 <http://2.2.2.2/24>
>   rightsubnet=10.10.10.11/24 <http://10.10.10.11/24>
>   left=192.167.10.12
>   right=192.167.3.2
>   keyexchange=ikev2
>  reauth=no
>   ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>   ikelifetime=83111s
>   esp=aes128-sha1,3des-sha1!
>   authby=pubkey
>   rightid=%any
>   leftid="192.168.255.129"
>   keylife=86400s
>   dpdaction=restart
>   dpddelay=10
>   dpdtimeout=120
>   rekeyfuzz=50%
>   rekeymargin=180s
>  
> 
> Connection Details:
> ===============
> Security Associations (1 up, 0 connecting):
>        conn1[202]: ESTABLISHED 3 minutes ago,
> 192.167.10.12[192.168.255.129]...192.167.3.2
>        conn1[202]: IKE SPIs: 8844db848d42913e_i 19c2afa035743af9_r*,
> rekeying in 22 hours
>        conn1[202]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>        conn1{475}:  INSTALLED, TUNNEL, ESP SPIs: c5cec271_i c62d9719_o
>        conn1{475}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 23 hours
>        conn1{475}:   2.2.2.0/24 <http://2.2.2.0/24> === 10.10.10.0/24
> <http://10.10.10.0/24>
>        conn2{476}:  INSTALLED, TUNNEL, ESP SPIs: cdc16950_i c8c47f0d_o
>        conn2{476}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 23 hours
>        conn2{476}:   2.2.2.0/24 <http://2.2.2.0/24> === 10.10.10.0/24
> <http://10.10.10.0/24>
> 
> 
> Thanks.
> Jegathesh
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130209/6c23a7db/attachment.bin>


More information about the Dev mailing list