[strongSwan] "ipsec status" shows unexpected output

Wed Sep 7 12:37:46 CEST 2011

Hi,

I have two end-points, between which I have created two identical tunnels.
However, the command "ipsec status" does not show the two tunnels in the way
I expect. Please find the required info below:

*/etc/ipsec.conf on end-point 1:*
root at vc1_TPC2:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        #plutostderrlog=/var/log/syslog
        # plutodebug=control
        # crlcheckinterval=600
        strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        charondebug=control
        plutostart=no
# Add connections here.

ca strongswan
        cacert=caCert.der
        auto=add
conn %default
        type=tunnel
        left=169.254.0.70
        leftcert=VC1Cert.der
        right=169.254.1.70
        rightid="C=CH, O=strongSwan, CN=169.254.1.70"
        keyexchange=ikev2
        auto=start
conn tunnel1
        leftsubnet=169.254.0.0/24
        rightsubnet=169.254.1.0/24
        mark=10
conn tunnel2
        leftsubnet=169.254.0.0/24
        rightsubnet=169.254.1.0/24
        mark=20

*/etc/ipsec.conf on end-point 2:*
root at vc2_TPC2:~#  cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=control
        # crlcheckinterval=600
         strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=no
        charondebug=control
# Add connections here.

ca strongswan
        cacert=caCert.der
        auto=add
conn %default
        type=tunnel
        left=169.254.1.70
        leftcert=VC2Cert.der
        right=169.254.0.70
        rightid="C=CH, O=strongSwan, CN=169.254.0.70"
        keyexchange=ikev2
        auto=start
conn tunnel1
        leftsubnet=169.254.1.0/24
        rightsubnet=169.254.0.0/24
        mark=10
conn tunnel2
        leftsubnet=169.254.1.0/24
        rightsubnet=169.254.0.0/24
        mark=20

*ipsec status on end-point 1:*
 root at vc1_TPC2:~# ipsec status
Security Associations:
     tunnel1[1]: ESTABLISHED 14 minutes ago, 169.254.0.70[C=CH,
O=strongSwan, CN=169.254.0.70]...169.254.1.70[C=CH, O=strongSwan,
CN=169.254.1.70]
     tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: ccd3d0ec_i c8d1ad66_o
     tunnel1{3}:   169.254.0.0/24 === 169.254.1.0/24
     tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: cc6da619_i c28e4022_o
     tunnel2{4}:   169.254.0.0/24 === 169.254.1.0/24

*ipsec status on end-point 2: *
root at vc2_TPC2:~# ipsec status
Security Associations:
     tunnel1[2]: ESTABLISHED 14 minutes ago, 169.254.1.70[C=CH,
O=strongSwan, CN=169.254.1.70]...169.254.0.70[C=CH, O=strongSwan,
CN=169.254.0.70]
     tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c8d1ad66_i ccd3d0ec_o
     tunnel1{3}:   169.254.1.0/24 === 169.254.0.0/24
     tunnel1{4}:  INSTALLED, TUNNEL, ESP SPIs: c28e4022_i cc6da619_o
     tunnel1{4}:   169.254.1.0/24 === 169.254.0.0/24
The questions I have are:
1. End-point 1 shows tunnel1{3} and tunnel2{4}, while end-point 2 shows only
tunnel1 with either {3} or {4}. Could you please tell me why it does not
show tunnel2? Also, this varies from time to time. Sometimes the numbers in
flower brackets are different, and sometimes they are the same.
2. What do the numbers in flower brackets denote?

Also, please let me know if I have configured anything incorrectly, which
may be causing this.

Thanks and regards,
Meera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110907/69b16c5b/attachment.html>