[strongSwan] charon often has two tunnels for one connection

Wolfgang Walter wolfgang.walter at stwm.de
Thu Nov 11 19:12:52 CET 2010


I use strongswan 4.4.1.

If I list connections with ipsec status, I see that
for most connections there are two IKE SPIs:


$ ipsec statusall LEO15R-to-TUMBER_R   # on
Security Associations:
LEO15D-to-TUMBER_D[274]: ESTABLISHED 63 minutes ago,[XXXXX]...[YYYYY]
LEO15D-to-TUMBER_D[274]: IKE SPIs: 49aee81a1e459923_i dec7d37f60b96152_r*, public key reauthentication in 103 minutes
LEO15D-to-TUMBER_D[274]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
LEO15R-to-TUMBER_R{8854}:  INSTALLED, TUNNEL, ESP SPIs: ce74d803_i cc269e91_o
LEO15R-to-TUMBER_R{8854}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 21 minutes
LEO15R-to-TUMBER_R{8854}: === 
LEO15D-to-TUMBER_D[303]: ESTABLISHED 57 minutes ago,[XXXXX]...[YYYYY]
LEO15D-to-TUMBER_D[303]: IKE SPIs: 52e9261978df059c_i* fc5a10078fb78d74_r, public key reauthentication in 95 minutes
LEO15D-to-TUMBER_D[303]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
LEO15R-to-TUMBER_R{9766}:  INSTALLED, TUNNEL, ESP SPIs: c36d90a4_i c00339bb_o
LEO15R-to-TUMBER_R{9766}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 30 minutes
LEO15R-to-TUMBER_R{9766}: === 

With "ip xfrm state ls" I see that there are really 2 tunnels and
"ip xfrm policy ls" shows that there are to entries

src dst
and vice versa

On it analog.

When I then restart router and comes up again
then only one assocation is established .

I think charon should only establish one tunnel.

There seems to be a problem when and both start at
the same time and has to establish a lot of tunnels to different
other routers. 

Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

More information about the Users mailing list