[strongSwan] Regarding Site-to-Site Tunnel for IPSec

Arnab Bakshi arnab.bakshi at gmail.com
Mon Jul 25 15:28:24 CEST 2011 

Hi Andreas,

    One question regarding the tunnel mode:

    I have the following SAs setup using IKEv2. The following is output of
ipsec statusall:

 * Performance:*
*  uptime: 15 seconds, since Jul 25 05:16:42 2011*
*  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3*
*  loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc
hmac gmp kernel-netlink stroke updown*
*Listening IP addresses:*
*  10.1.1.10*
*  10.205.30.62*
*Connections:*
*        arb1:  10.1.1.10[10.1.1.10]...10.1.1.20[10.1.1.20]*
*        arb1:  pre-shared key authentication*
*        arb1:    10.205.30.254/32 === 30.0.0.1/32*
*        arb2:    dynamic === dynamic*
*Security Associations:*
*        arb1[1]: ESTABLISHED 4 seconds ago,
10.1.1.10[10.1.1.10]...10.1.1.20[10.1.1.20]*
*        arb1[1]: IKE SPIs: a4a2683d4df70a67_i 7861d952132dcc14_r*, rekeying
in 2 hours*
*        arb1[1]: IKE proposal:
AES_CBC-128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024_BIT*
*        arb1{1}:  INSTALLED, TUNNEL, ESP SPIs: ca075713_i 7a189428_o*
*        arb1{1}:  AES_CBC-128/HMAC_MD5_96, rekeying in 58 minutes, last
use: 4s_i no_o*
*        arb1{1}:   10.205.30.254/32 === 30.0.0.1/32*
*        arb1{2}:  INSTALLED, TUNNEL, ESP SPIs: c24cf23c_i 01cc4444_o*
*        arb1{2}:  AES_CBC-128/HMAC_MD5_96, rekeying in 58 minutes, last
use: 4s_i no_o*
*        arb1{2}:   10.205.30.254/32 === 30.0.0.1/32*
*
*
As you can see from the above output there are couple of Child SAs over one
IKE_SA.

The problem I am facing is that when I send a data packet(ping) from
30.0.0.1 to 10.205.30.254 over the tunnel the following behaviour happens:

  Data packet is forwarded when using SA for arb1{2} - In SPI: *c24cf23c_i *
*  *but Data packet doesnt get forwarded using arb1{1} - In SPI: *
ca075713_i *
*
*
I have attached my ipsec.conf file if you may need to have a look. Also I
have checked the sysctl variables for ip forwarding and enabled the ipv4
forwarding for all interfaces.

Can you help whether the previously established CHILD_SA will not be used at
all if a new SA is available..?

Regards
Arnab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110725/ba2cdb69/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 1212 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110725/ba2cdb69/attachment.obj>

More information about the Users mailing list