[strongSwan] config 2 hosts, one with "type=transport", another with "type=tunnel", both "tunnel" and "transport" Child SA created, is this per-design?
MingM Xia
macguffin.xia at gmail.com
Mon May 24 10:16:41 CEST 2010
I accidently config one host with "type=transport" while another with
"type=tunnel" for a connection, I bring up the connection from
"type=tunnel" side, an SA with "tunnel" set up; and then I try to bring up
the connection from "type=transport" side, another SA with transport mode
also set up, here is the result.
root at hapWibbSc2:/etc# ipsec status
Security Associations:
242-194[4]: ESTABLISHED 7 minutes ago,
10.19.156.242[10.19.156.242]...10.19.156.194[10.19.156.194]
242-194{6}: INSTALLED, TUNNEL, ESP SPIs: cc65e64a_i c2a154a0_o
242-194{6}: 10.19.156.242/32 === 10.19.156.194/32
242-194{7}: INSTALLED, TRANSPORT, ESP SPIs: c80056a5_i c4ceb8b1_o
242-194{7}: 10.19.156.242/32 === 10.19.156.194/32
It seems the later SA is active one, when I send the packages to peer, the
packages will be transmitted in second SA.
Is this per-design, it's confused me, we can set up 2 different type SA
for the same connection at the same time?
root at hapWibbSc2:~# ip -s xfrm state
src 10.19.156.242 dst 10.19.156.194
proto esp spi 0xc2a154a0(3265352864) reqid 6(0x00000006) mode tunnel
replay-window 32 seq 0x00000052 flag (0x00000000)
auth hmac(sha1) 0x9e2dc8067d83e63909eea726b94b16fa962082fe (160
bits)
enc cbc(aes) 0x761e1049da63c31c761f4a217bba0cac (128 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 940(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-24 01:57:13 use -
stats:
replay-window 0 replay 0 failed 0
src 10.19.156.194 dst 10.19.156.242
proto esp spi 0xcc65e64a(3429230154) reqid 6(0x00000006) mode tunnel
replay-window 32 seq 0x00000053 flag (0x00000000)
auth hmac(sha1) 0xfcb0fd580660d379e0923b280f5898f80602e7ad (160
bits)
enc cbc(aes) 0xcc929db280f43cfc28955f816e8d0486 (128 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 1008(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-24 01:57:13 use -
stats:
replay-window 0 replay 0 failed 0
src 10.19.156.242 dst 10.19.156.194
proto esp spi 0xc4ceb8b1(3301882033) reqid 7(0x00000007) mode
transport
replay-window 32 seq 0x00000058 flag (0x00000000)
auth hmac(sha1) 0x8b187947ac6b89c0054c92bf81f46eac8d593fcb (160
bits)
enc cbc(aes) 0x204197ad0a20d5f6bd521daeba42a80c (128 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 898(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
384(bytes), 6(packets)
add 2010-05-24 01:57:53 use 2010-05-24 01:58:06
stats:
replay-window 0 replay 0 failed 0
src 10.19.156.194 dst 10.19.156.242
proto esp spi 0xc80056a5(3355465381) reqid 7(0x00000007) mode
transport
replay-window 32 seq 0x00000059 flag (0x00000000)
auth hmac(sha1) 0xb89db4921b1302ded2c03d1fb22150fdb9411523 (160
bits)
enc cbc(aes) 0x77d297fe92e9a04b944ad85f564019d1 (128 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 866(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
384(bytes), 6(packets)
add 2010-05-24 01:57:53 use 2010-05-24 01:58:06
stats:
replay-window 0 replay 0 failed 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100524/bf9b1ff7/attachment.html>
More information about the Users
mailing list