[strongSwan] charon often has two tunnels for one connection
Andreas Steffen
andreas.steffen at strongswan.org
Thu Nov 11 23:54:02 CET 2010
No, this is not possible. If you prefer one side then set it to
auto=start and the other side to auto=add.
Regards
Andreas
On 11/11/2010 11:35 PM, Wolfgang Walter wrote:
> Hello Andreas,
>
> On Thursday 11 November 2010, Andreas Steffen wrote:
>> Hello Wolfgang,
>>
>> if you define auto=start on both ends of the connection then it is
>> normal that two IKE_SAs and two CHILD_SAs are established. As you
>> can see each end is the initiator designated by an asteris symbol
>> ('*'):
>>
>>> LEO15D-to-TUMBER_D[274]: IKE SPIs: 49aee81a1e459923_i
>> dec7d37f60b96152_r*, public key reauthentication in 103 minutes
>>
>>> LEO15D-to-TUMBER_D[303]: IKE SPIs: 52e9261978df059c_i*
>> fc5a10078fb78d74_r, public key reauthentication in 95 minutes
>>
>> The IKEv2 standard allows for this situation, so there is nothing
>> special about it. In the past there were some race condition
>> problems when both ends rekeyed at the same time but most of the
>> issues have been fixed in the latest releases.
>>
>
> Yes.
>
> My problem is that - once two are established - they remain as both are
> rekeyed regulary. This doubles the number of rekeying events. Would it be
> possible to have a sort of a "second-class"-field:
>
> conn LEO15D-to-TUMBER_D
> leftfavour=yes
>
> which would mean:
>
> if a second child-sa gets established close that one which was initiated from
> right
>
>> Regards
>>
>> Andreas
>
> Regards,
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list