[strongSwan-dev] IPSEC SAs accumulate when "ipsec reload" command is executed for tunnels that have "auto=start" directive
Ansis Atteka
ansisatteka at gmail.com
Wed Jan 9 04:14:14 CET 2013
In the ipsec.conf file I have tunnel that has "auto=start" directive.
Each time I execute "ipsec reload" command a new redundant IPSEC SA is
created:
root at gateway:~# ipsec status
Security Associations (2 up, 0 connecting):
remote-192.168.194.144[2]: ESTABLISHED 12 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c1e1e697_i c42f18d7_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144[3]: ESTABLISHED 8 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c0f79060_i cfc4ad65_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
root at gateway:~# ipsec reload
Reloading strongSwan IPsec configuration...
root at gateway:~# ipsec status
Security Associations (2 up, 0 connecting):
remote-192.168.194.144[2]: ESTABLISHED 21 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c1e1e697_i c42f18d7_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c4fd0bfd_i cf470541_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144[3]: ESTABLISHED 17 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c0f79060_i cfc4ad65_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
root at gateway:~# ipsec reload
Reloading strongSwan IPsec configuration...
root at gateway:~# ipsec status
Security Associations (2 up, 0 connecting):
remote-192.168.194.144[2]: ESTABLISHED 27 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c1e1e697_i c42f18d7_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c4fd0bfd_i cf470541_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c7475eaa_i c1708eec_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144[3]: ESTABLISHED 23 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c0f79060_i cfc4ad65_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
root at gateway:~# ipsec reload
Reloading strongSwan IPsec configuration...
root at gateway:~# ipsec status
Security Associations (2 up, 0 connecting):
remote-192.168.194.144[2]: ESTABLISHED 38 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c1e1e697_i c42f18d7_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c4fd0bfd_i cf470541_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c7475eaa_i c1708eec_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: cc7170a4_i c01e3a5c_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
remote-192.168.194.144[3]: ESTABLISHED 34 seconds ago,
192.168.194.143[192.168.194.143]...192.168.194.144[192.168.194.144]
remote-192.168.194.144{1}: INSTALLED, TUNNEL, ESP SPIs: c0f79060_i cfc4ad65_o
remote-192.168.194.144{1}: 192.168.194.143/32 === 192.168.194.144/32
Is this resource deallocation issue? This issue does not happen with
"ipsec update" command or when "auto=add/route" is being used.
By looking into starter.c file I guess that the intendend difference
between "ipsec update" and "ipsec reload" commands is that "ipsec
reload" should first remove whole ipsec configuration and then reread
it again. While "ipsec update" is supposed to compare old
configuration with the new one and then and push only required changes
to the charon daemon?
This is happening with strongswan 4.6.4. Has anyone seen something similar?
Best regards,
Ansis Atteka
More information about the Dev
mailing list