[strongSwan] charon often has two tunnels for one connection

Wolfgang Walter wolfgang.walter at stwm.de
Thu Nov 11 19:12:52 CET 2010


Hello,

I use strongswan 4.4.1.

If I list connections with ipsec status, I see that
for most connections there are two IKE SPIs:

example

$ ipsec statusall LEO15R-to-TUMBER_R   # on 1.1.1.1
[snip]
Security Associations:
LEO15D-to-TUMBER_D[274]: ESTABLISHED 63 minutes ago, 1.1.1.1[XXXXX]...2.2.2.2[YYYYY]
LEO15D-to-TUMBER_D[274]: IKE SPIs: 49aee81a1e459923_i dec7d37f60b96152_r*, public key reauthentication in 103 minutes
LEO15D-to-TUMBER_D[274]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
LEO15R-to-TUMBER_R{8854}:  INSTALLED, TUNNEL, ESP SPIs: ce74d803_i cc269e91_o
LEO15R-to-TUMBER_R{8854}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 21 minutes
LEO15R-to-TUMBER_R{8854}:   10.222.0.0/23 === 10.222.4.236/30 
LEO15D-to-TUMBER_D[303]: ESTABLISHED 57 minutes ago, 1.1.1.1[XXXXX]...2.2.2.2[YYYYY]
LEO15D-to-TUMBER_D[303]: IKE SPIs: 52e9261978df059c_i* fc5a10078fb78d74_r, public key reauthentication in 95 minutes
LEO15D-to-TUMBER_D[303]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
LEO15R-to-TUMBER_R{9766}:  INSTALLED, TUNNEL, ESP SPIs: c36d90a4_i c00339bb_o
LEO15R-to-TUMBER_R{9766}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 30 minutes
LEO15R-to-TUMBER_R{9766}:   10.222.0.0/23 === 10.222.4.236/30 



With "ip xfrm state ls" I see that there are really 2 tunnels and
"ip xfrm policy ls" shows that there are to entries

src 10.222.0.0/23 dst 10.222.4.236/30
and vice versa

On 2.2.2.2 it analog.

When I then restart router 2.2.2.2 and 2.2.2.2 comes up again
then only one assocation is established .

I think charon should only establish one tunnel.

There seems to be a problem when 1.1.1.1 and 2.2.2.2 both start at
the same time and 1.1.1.1 has to establish a lot of tunnels to different
other routers. 

Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts




More information about the Users mailing list