[strongSwan] charon often has two tunnels for one connection

Andreas Steffen andreas.steffen at strongswan.org
Thu Nov 11 20:46:32 CET 2010 

Hello Wolfgang,

if you define auto=start on both ends of the connection then it is
normal that two IKE_SAs and two CHILD_SAs are established. As you
can see each end is the initiator designated by an asteris symbol
('*'):

> LEO15D-to-TUMBER_D[274]: IKE SPIs: 49aee81a1e459923_i
dec7d37f60b96152_r*, public key reauthentication in 103 minutes

> LEO15D-to-TUMBER_D[303]: IKE SPIs: 52e9261978df059c_i*
fc5a10078fb78d74_r, public key reauthentication in 95 minutes

The IKEv2 standard allows for this situation, so there is nothing
special about it. In the past there were some race condition
problems when both ends rekeyed at the same time but most of the
issues have been fixed in the latest releases.

Regards

Andreas

On 11/11/2010 07:12 PM, Wolfgang Walter wrote:
> Hello,
> 
> I use strongswan 4.4.1.
> 
> If I list connections with ipsec status, I see that
> for most connections there are two IKE SPIs:
> 
> example
> 
> $ ipsec statusall LEO15R-to-TUMBER_R   # on 1.1.1.1
> [snip]
> Security Associations:
> LEO15D-to-TUMBER_D[274]: ESTABLISHED 63 minutes ago, 1.1.1.1[XXXXX]...2.2.2.2[YYYYY]
> LEO15D-to-TUMBER_D[274]: IKE SPIs: 49aee81a1e459923_i dec7d37f60b96152_r*, public key reauthentication in 103 minutes
> LEO15D-to-TUMBER_D[274]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> LEO15R-to-TUMBER_R{8854}:  INSTALLED, TUNNEL, ESP SPIs: ce74d803_i cc269e91_o
> LEO15R-to-TUMBER_R{8854}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 21 minutes
> LEO15R-to-TUMBER_R{8854}:   10.222.0.0/23 === 10.222.4.236/30 
> LEO15D-to-TUMBER_D[303]: ESTABLISHED 57 minutes ago, 1.1.1.1[XXXXX]...2.2.2.2[YYYYY]
> LEO15D-to-TUMBER_D[303]: IKE SPIs: 52e9261978df059c_i* fc5a10078fb78d74_r, public key reauthentication in 95 minutes
> LEO15D-to-TUMBER_D[303]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> LEO15R-to-TUMBER_R{9766}:  INSTALLED, TUNNEL, ESP SPIs: c36d90a4_i c00339bb_o
> LEO15R-to-TUMBER_R{9766}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 30 minutes
> LEO15R-to-TUMBER_R{9766}:   10.222.0.0/23 === 10.222.4.236/30 
> 
> 
> 
> With "ip xfrm state ls" I see that there are really 2 tunnels and
> "ip xfrm policy ls" shows that there are to entries
> 
> src 10.222.0.0/23 dst 10.222.4.236/30
> and vice versa
> 
> On 2.2.2.2 it analog.
> 
> When I then restart router 2.2.2.2 and 2.2.2.2 comes up again
> then only one assocation is established .
> 
> I think charon should only establish one tunnel.
> 
> There seems to be a problem when 1.1.1.1 and 2.2.2.2 both start at
> the same time and 1.1.1.1 has to establish a lot of tunnels to different
> other routers. 
> 
> Regards,


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list