[strongSwan-dev] Multiple IKE_SAs for a single tunnel

James Hulka jah at open.ch
Fri May 3 13:45:50 CEST 2013


recently I encountered an issue in my Strongswan setup where despite
using 'uniqueids=yes' one of my tunnels had 2 IKE_SAs installed.

This led to the situation that one peer was using 1 IKE_SA and the other
peer the other IKE_SA breaking all communication.

>From what I understand this should be prevented (and I see evidence of
this in my logs as well) when the 'uniqueids' option is set to yes
however it seems that this is not always the case (specifically when a
host loses all connectivity and then regains it again).

Because not all duplicate IKE_SAs are caught by the current check I
would like to suggest adding a second check (when 'uniqueids=yes') that:

- is delayed by 5 or 10 seconds (after an IKE_SA is established)

- checks if there are multiple IKE_SAs

---> deletes an IKE_SA based on the rules for the value of uniqueids OR

---> if multiple IKE_SAs are the same age deletes the SA w/ the
numerically smaller combined SPIs (always ordered 'smaller SPI' .
'bigger SPI')

This would allow 2 hosts to both have the option auto=start and not
worry about creating redundant IKE_SAs. This is a must for high
availability setups.

Best Regards,


More information about the Dev mailing list