[strongSwan] charon often has two tunnels for one connection
Wolfgang Walter
wolfgang.walter at stwm.de
Thu Nov 11 23:35:13 CET 2010
Hello Andreas,
On Thursday 11 November 2010, Andreas Steffen wrote:
> Hello Wolfgang,
>
> if you define auto=start on both ends of the connection then it is
> normal that two IKE_SAs and two CHILD_SAs are established. As you
> can see each end is the initiator designated by an asteris symbol
> ('*'):
>
> > LEO15D-to-TUMBER_D[274]: IKE SPIs: 49aee81a1e459923_i
> dec7d37f60b96152_r*, public key reauthentication in 103 minutes
>
> > LEO15D-to-TUMBER_D[303]: IKE SPIs: 52e9261978df059c_i*
> fc5a10078fb78d74_r, public key reauthentication in 95 minutes
>
> The IKEv2 standard allows for this situation, so there is nothing
> special about it. In the past there were some race condition
> problems when both ends rekeyed at the same time but most of the
> issues have been fixed in the latest releases.
>
Yes.
My problem is that - once two are established - they remain as both are
rekeyed regulary. This doubles the number of rekeying events. Would it be
possible to have a sort of a "second-class"-field:
conn LEO15D-to-TUMBER_D
leftfavour=yes
which would mean:
if a second child-sa gets established close that one which was initiated from
right
> Regards
>
> Andreas
Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
More information about the Users
mailing list