[strongSwan] Multiple IKE SA for different dpd delay

Vinay Prabhakar M vinay.prabhakar.ext at nsn.com
Mon Dec 10 14:19:54 CET 2012 

Hi,

 

We are facing a scenario where 2 policies have same tunnel endpoints but
different dpd delay value. Now we see 2 IKE_INIT_SA and 2 tunnels are
created.

 

Following is configuration: 

 

conn conn12

  type=tunnel

  leftsubnet=6.6.6.4/32

  rightsubnet=6.6.6.6/32

  left=6.6.6.4

  right=6.6.6.6

  keyexchange=ikev2

  reauth=no

  ike=aes128-sha1-modp1024,3des-sha1-modp1024!

  ikelifetime=83376s

  esp=aes128-sha1,3des-sha1!

  authby=pubkey

  rightid=%any

  keylife=86400s

  dpdaction=restart

  dpddelay=20s

  dpdtimeout=120s

  rekeyfuzz=50%

  rekeymargin=180s

 

conn conn13

  type=tunnel

  leftsubnet=5.5.5.4/32

  rightsubnet=0.0.0.0/0

  left=6.6.6.4

  right=6.6.6.6

  keyexchange=ikev2

  reauth=no

  ike=aes128-sha1-modp1024,3des-sha1-modp1024!

  ikelifetime=83376s

  esp=aes128-sha1,3des-sha1!

  authby=pubkey

  rightid=%any

  keylife=86400s

  dpdaction=restart

  dpddelay=10s

  dpdtimeout=120s

  rekeyfuzz=50%

  rekeymargin=180s

 

Now we use different same policies but diferent DH values that is one policy
has modp1024 and another modp2048 as shown below only 1 IKE_INIT_SA is sent.

 

conn conn12

  type=tunnel

  leftsubnet=6.6.6.4/32

  rightsubnet=6.6.6.6/32

  left=6.6.6.4

  right=6.6.6.6

  keyexchange=ikev2

  reauth=no

  ike=aes128-sha1-modp1024,3des-sha1-modp1024!

  ikelifetime=83376s

  esp=aes128-sha1,3des-sha1!

  authby=pubkey

  rightid=%any

  keylife=86400s

  dpdaction=restart

  dpddelay=20s

  dpdtimeout=120s

  rekeyfuzz=50%

  rekeymargin=180s

 

conn conn13

  type=tunnel

  leftsubnet=5.5.5.4/32

  rightsubnet=0.0.0.0/0

  left=6.6.6.4

  right=6.6.6.6

  keyexchange=ikev2

  reauth=no

 ike=aes128-sha1-modp2048,3des-sha1-modp2048!

  ikelifetime=83376s

  esp=aes128-sha1,3des-sha1!

  authby=pubkey

  rightid=%any

  keylife=86400s

  dpdaction=restart

  dpddelay=10s

  dpdtimeout=120s

  rekeyfuzz=50%

  rekeymargin=180s

 

I know DH value is negotiated value while DPD delay is local and does not
depend on peer.

We are using Strongswan 4.5.0

 

Request your help.

 

Thanks,

Vinay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121210/502ff25a/attachment.html>

More information about the Users mailing list