[strongSwan] What to do once the CHILD_SA is established?

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 29 14:24:32 CEST 2011

Hello Meera,

the work of the IKEv2 daemon is done and charon will become active
only during the next CHILD_SA rekeying (scheduled in 40 minutes)
and the next IKEv2 reauthentication (scheduled in 2 hours).

The IKE daemon creates an IPsec policy

  ip -s xfrm policy

and and IPsec security association

  ip -s xfrm state

in the Linux kernel which route and encrypt/decrypt all IP packets
using the IPsec ESP protocol.



P.S. You seem to have started both sides with auto=start resulting
     in two concurrent IPsec SAs. Although this does not cause any
     harm if you upgrade to strongSwan 4.5.1 one of the redundant
     IKE_SA/CHILD_SA pairs will be automatically deleted.

On 29.03.2011 14:02, Meera Sudhakar wrote
> Hi Andreas
> I was able to setup an IKE_SA and its CHILD_SA between my initiator and
> responder. Just pasting the result of 'ipsec statusall' here:
> *root at cip-Latitude-D520* <mailto:root at cip-Latitude-D520>*:~# ipsec statusall
> *Status of IKEv2 charon daemon (strongSwan 4.4.0):
>   uptime: 3 minutes, since Mar 28 18:54:41 2011
>   worker threads: 7 idle of 16, job queue load: 0, scheduled events: 5
>   loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
> pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr
> kernel-netlink socket-default farp stroke updown eap-identity eap-aka
> eap-md5 eap-gtc eap-mschapv2 dhcp resolve
> Listening IP addresses:
> Connections:
> sample-with-ca-cert:
> sample-with-ca-cert:   local:  [C=CH, O=strongSwan, CN=]
> uses public key authentication
> sample-with-ca-cert:    cert:  "C=CH, O=strongSwan, CN="
> sample-with-ca-cert:   remote: [C=CH, O=strongSwan, CN=]
> uses any authentication
> sample-with-ca-cert:   child: <>
> === <>
> Security Associations:
> sample-with-ca-cert[1]: ESTABLISHED 2 minutes ago,[C=CH,
> O=strongSwan, CN=]...[C=CH, O=strongSwan,
> CN=]
> sample-with-ca-cert[1]: IKE SPIs: fdcf7ac0cdf2c04f_i*
> 983a0c5155be9623_r, public key reauthentication in 2 hours
> sample-with-ca-cert[1]: IKE proposal:
> sample-with-ca-cert{2}:  INSTALLED, TUNNEL, ESP SPIs: cbf77aa0_i cf97ba8b_o
> sample-with-ca-cert{2}:  AES_CBC_128/HMAC_SHA1_96, 4916 bytes_i (147s
> ago), 2892 bytes_o (161s ago), rekeying in 40 minutes
> sample-with-ca-cert{2}: <> ===
> <>
> sample-with-ca-cert[2]: ESTABLISHED 3 minutes ago,[C=CH,
> O=strongSwan, CN=]...[C=CH, O=strongSwan,
> CN=]
> sample-with-ca-cert[2]: IKE SPIs: 396e462689843cdf_i
> 5dbd4f8988e5cd1f_r*, public key reauthentication in 2 hours
> sample-with-ca-cert[2]: IKE proposal:
> sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cdbdb1cc_i c33cd52e_o
> sample-with-ca-cert{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 42 minutes
> sample-with-ca-cert{1}: <> ===
> <>
> I am using strongswan for the first time, and I am not sure where the
> use of strongswan ends. Could you please help me understand this? My
> queries are:
> 1. Stongswan created the IKE_SA and CHILD_SA, and then nothing more
> happens. Is this correct?
> 2. I believe that IPsec traffic will flow through the CHILD_SA. How will
> this happen? Can strongswan handle it, or should I use some other tool?
> I know these questions might be kind of silly, but please help me get a
> better idea of what I'm doing.
> Thanks and regards,
> Meera

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list