[strongSwan-dev] Multiple IKE_SAs for a single tunnel
jah at open.ch
Fri May 3 13:45:50 CEST 2013
recently I encountered an issue in my Strongswan setup where despite
using 'uniqueids=yes' one of my tunnels had 2 IKE_SAs installed.
This led to the situation that one peer was using 1 IKE_SA and the other
peer the other IKE_SA breaking all communication.
>From what I understand this should be prevented (and I see evidence of
this in my logs as well) when the 'uniqueids' option is set to yes
however it seems that this is not always the case (specifically when a
host loses all connectivity and then regains it again).
Because not all duplicate IKE_SAs are caught by the current check I
would like to suggest adding a second check (when 'uniqueids=yes') that:
- is delayed by 5 or 10 seconds (after an IKE_SA is established)
- checks if there are multiple IKE_SAs
---> deletes an IKE_SA based on the rules for the value of uniqueids OR
---> if multiple IKE_SAs are the same age deletes the SA w/ the
numerically smaller combined SPIs (always ordered 'smaller SPI' .
This would allow 2 hosts to both have the option auto=start and not
worry about creating redundant IKE_SAs. This is a must for high
More information about the Dev