[strongSwan] What to do once the CHILD_SA is established?

Meera Sudhakar mira.sudhakar at gmail.com
Thu Mar 31 06:17:13 CEST 2011 

Thanks to both Martin and Andreas :)

I changed "auto=start" to "auto=add" on one of the machines, and now I get
only one SA. Also, thanks a lot for the explanation on what to expect once
the SA is established. I sent some traffic using iperf tool, and saw that it
is sent using ipsec. I am still playing around with it actually.

Regards,
Meera

On Tue, Mar 29, 2011 at 5:54 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hello Meera,
>
> the work of the IKEv2 daemon is done and charon will become active
> only during the next CHILD_SA rekeying (scheduled in 40 minutes)
> and the next IKEv2 reauthentication (scheduled in 2 hours).
>
> The IKE daemon creates an IPsec policy
>
>  ip -s xfrm policy
>
> and and IPsec security association
>
>  ip -s xfrm state
>
> in the Linux kernel which route and encrypt/decrypt all IP packets
> using the IPsec ESP protocol.
>
> Regards
>
> Andreas
>
> P.S. You seem to have started both sides with auto=start resulting
>     in two concurrent IPsec SAs. Although this does not cause any
>     harm if you upgrade to strongSwan 4.5.1 one of the redundant
>     IKE_SA/CHILD_SA pairs will be automatically deleted.
>
> On 29.03.2011 14:02, Meera Sudhakar wrote
> > Hi Andreas
> >
> > I was able to setup an IKE_SA and its CHILD_SA between my initiator and
> > responder. Just pasting the result of 'ipsec statusall' here:
> >
> > *root at cip-Latitude-D520* <mailto:root at cip-Latitude-D520>*:~# ipsec
> statusall
> > *Status of IKEv2 charon daemon (strongSwan 4.4.0):
> >   uptime: 3 minutes, since Mar 28 18:54:41 2011
> >   worker threads: 7 idle of 16, job queue load: 0, scheduled events: 5
> >   loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
> > pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr
> > kernel-netlink socket-default farp stroke updown eap-identity eap-aka
> > eap-md5 eap-gtc eap-mschapv2 dhcp resolve
> > Listening IP addresses:
> >   10.58.114.215
> > Connections:
> > sample-with-ca-cert:  10.58.114.215...10.58.112.139
> > sample-with-ca-cert:   local:  [C=CH, O=strongSwan, CN=10.58.114.215]
> > uses public key authentication
> > sample-with-ca-cert:    cert:  "C=CH, O=strongSwan, CN=10.58.114.215"
> > sample-with-ca-cert:   remote: [C=CH, O=strongSwan, CN=10.58.112.139]
> > uses any authentication
> > sample-with-ca-cert:   child:  10.58.114.0/24 <http://10.58.114.0/24>
> > === 10.58.112.0/24 <http://10.58.112.0/24>
> > Security Associations:
> > sample-with-ca-cert[1]: ESTABLISHED 2 minutes ago, 10.58.114.215[C=CH,
> > O=strongSwan, CN=10.58.114.215]...10.58.112.139[C=CH, O=strongSwan,
> > CN=10.58.112.139]
> > sample-with-ca-cert[1]: IKE SPIs: fdcf7ac0cdf2c04f_i*
> > 983a0c5155be9623_r, public key reauthentication in 2 hours
> > sample-with-ca-cert[1]: IKE proposal:
> > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> > sample-with-ca-cert{2}:  INSTALLED, TUNNEL, ESP SPIs: cbf77aa0_i
> cf97ba8b_o
> > sample-with-ca-cert{2}:  AES_CBC_128/HMAC_SHA1_96, 4916 bytes_i (147s
> > ago), 2892 bytes_o (161s ago), rekeying in 40 minutes
> > sample-with-ca-cert{2}:   10.58.114.0/24 <http://10.58.114.0/24> ===
> > 10.58.112.0/24 <http://10.58.112.0/24>
> > sample-with-ca-cert[2]: ESTABLISHED 3 minutes ago, 10.58.114.215[C=CH,
> > O=strongSwan, CN=10.58.114.215]...10.58.112.139[C=CH, O=strongSwan,
> > CN=10.58.112.139]
> > sample-with-ca-cert[2]: IKE SPIs: 396e462689843cdf_i
> > 5dbd4f8988e5cd1f_r*, public key reauthentication in 2 hours
> > sample-with-ca-cert[2]: IKE proposal:
> > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> > sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cdbdb1cc_i
> c33cd52e_o
> > sample-with-ca-cert{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> > rekeying in 42 minutes
> > sample-with-ca-cert{1}:   10.58.114.0/24 <http://10.58.114.0/24> ===
> > 10.58.112.0/24 <http://10.58.112.0/24>
> >
> >
> > I am using strongswan for the first time, and I am not sure where the
> > use of strongswan ends. Could you please help me understand this? My
> > queries are:
> >
> > 1. Stongswan created the IKE_SA and CHILD_SA, and then nothing more
> > happens. Is this correct?
> > 2. I believe that IPsec traffic will flow through the CHILD_SA. How will
> > this happen? Can strongswan handle it, or should I use some other tool?
> >
> > I know these questions might be kind of silly, but please help me get a
> > better idea of what I'm doing.
> >
> > Thanks and regards,
> > Meera
>
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110331/a37a604d/attachment.html>

More information about the Users mailing list