[strongSwan] Regarding Site-to-Site Tunnel for IPSec

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 28 17:37:54 CEST 2011 

Hi Arnab,

why do you want to have two identical CHILD_SAs? Usually the latest
CHILD_SA is used to transport traffic, the other being becoming idle.

Regards

Andreas

On 07/25/2011 03:28 PM, Arnab Bakshi wrote:
> Hi Andreas,
> 
>     One question regarding the tunnel mode:
> 
>     I have the following SAs setup using IKEv2. The following is output
> of ipsec statusall:
>    
>  /Performance:/
> /  uptime: 15 seconds, since Jul 25 05:16:42 2011/
> /  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3/
> /  loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey
> xcbc hmac gmp kernel-netlink stroke updown/
> /Listening IP addresses:/
> /  10.1.1.10/
> /  10.205.30.62/
> /Connections:/
> /        arb1:  10.1.1.10[10.1.1.10]...10.1.1.20[10.1.1.20]/
> /        arb1:  pre-shared key authentication/
> /        arb1:    10.205.30.254/32 <http://10.205.30.254/32> ===
> 30.0.0.1/32 <http://30.0.0.1/32>/
> /        arb2:    dynamic === dynamic/
> /Security Associations:/
> /        arb1[1]: ESTABLISHED 4 seconds ago,
> 10.1.1.10[10.1.1.10]...10.1.1.20[10.1.1.20]/
> /        arb1[1]: IKE SPIs: a4a2683d4df70a67_i 7861d952132dcc14_r*,
> rekeying in 2 hours/
> /        arb1[1]: IKE proposal:
> AES_CBC-128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024_BIT/
> /        arb1{1}:  INSTALLED, TUNNEL, ESP SPIs: ca075713_i 7a189428_o/
> /        arb1{1}:  AES_CBC-128/HMAC_MD5_96, rekeying in 58 minutes, last
> use: 4s_i no_o/
> /        arb1{1}:   10.205.30.254/32 <http://10.205.30.254/32> ===
> 30.0.0.1/32 <http://30.0.0.1/32>/
> /        arb1{2}:  INSTALLED, TUNNEL, ESP SPIs: c24cf23c_i 01cc4444_o/
> /        arb1{2}:  AES_CBC-128/HMAC_MD5_96, rekeying in 58 minutes, last
> use: 4s_i no_o/
> /        arb1{2}:   10.205.30.254/32 <http://10.205.30.254/32> ===
> 30.0.0.1/32 <http://30.0.0.1/32>/
> /
> /
> As you can see from the above output there are couple of Child SAs over
> one IKE_SA.
> 
> The problem I am facing is that when I send a data packet(ping) from
> 30.0.0.1 to 10.205.30.254 over the tunnel the following behaviour happens:
> 
>   Data packet is forwarded when using SA for arb1{2} - In SPI: /c24cf23c_i /
> /  /but Data packet doesnt get forwarded using arb1{1} - In
> SPI: /ca075713_i /
> /
> /
> I have attached my ipsec.conf file if you may need to have a look. Also
> I have checked the sysctl variables for ip forwarding and enabled the
> ipv4 forwarding for all interfaces.
> 
> Can you help whether the previously established CHILD_SA will not be
> used at all if a new SA is available..?
> 
> Regards
> Arnab


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list