[strongSwan] IKEv1 duplicate tunnels installed (4 SPIs)?

yordanos beyene yordanosb at gmail.com
Thu Jul 5 00:59:24 CEST 2012


Hi,

I created *site-to-site* vpn with strongSwan 5.0.0. IKEv1 installs
duplicate tunnels but IKEv2 works as expected.
See my configuration and ipsec statusall output for both scenarios. Please
advise if the IKEv1 output is expected or if there is any change I need to
make in my configuration.

strongswan is running on two centos machines, and my end hosts are win7. I
initiated the IKE negotiation by staring ping from one win7 host to other.

*=====IKEv1 configuration and ipsec statusall=====*
*ipsec.conf for centos1*
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        #plutodebug=control
        #plutostart=no
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
conn net-net
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        left=172.16.20.1
        leftsubnet=172.16.50.0/24
        leftid=@centos1.test.net
        leftfirewall=no
        right=172.16.20.2
        rightsubnet=172.16.60.0/24
        rightid=@centos2.test.net
        auto=route
 *ipsec.conf for centos2*
  # ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        #plutodebug=control
        #plutostart=no
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
conn net-net
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        left=172.16.20.2
        leftsubnet=172.16.60.0/24
        leftid=@centos2.test.net
        leftfirewall=no
        right=172.16.20.1
        rightsubnet=172.16.50.0/24
        rightid=@centos1.test.net
        auto=route

*centos1 ipsecstatusall output*
[root at centos-01 ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
i686):
  uptime: 65 seconds, since Jul 04 12:58:34 2012
...
Listening IP addresses:
  172.16.20.1
  172.16.50.1
  192.168.0.114
Connections:
     net-net:  172.16.20.1...172.16.20.2  IKEv1
     net-net:   local:  [centos1.test.net] uses pre-shared key
authentication
     net-net:   remote: [centos2.test.net] uses pre-shared key
authentication
     net-net:   child:  172.16.50.0/24 === 172.16.60.0/24 TUNNEL
Routed Connections:
     net-net{1}:  ROUTED, TUNNEL
     net-net{1}:   172.16.50.0/24 === 172.16.60.0/24
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 26 seconds ago, 172.16.20.1[centos1.test.net
]...172.16.20.2[centos2.test.net]
     net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i* 2d73a82503c8ba33_r,
pre-shared key reauthentication in 54 minutes
     net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     *net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c3287b68_i c7445ee4_o
*     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 1020 bytes_o (1s
ago), rekeying in 15 minutes
     net-net{1}:   172.16.50.10/32[icmp/8] === 172.16.60.10/32[icmp]
     *net-net{2}:  INSTALLED, TUNNEL, ESP SPIs: ccd6a57c_i c71087c5_o
*     net-net{2}:  AES_CBC_128/HMAC_SHA1_96, 960 bytes_i (1s ago), 0
bytes_o, rekeying in 14 minutes
     net-net{2}:   172.16.50.10/32[icmp] === 172.16.60.10/32[icmp]
 *centos2 ipsecstatusall output:*
[root at centos-02 ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
i686):
  uptime: 39 seconds, since Jul 04 12:58:45 2012
...
Listening IP addresses:
  172.16.20.2
  172.16.60.1
  192.168.0.115
Connections:
     net-net:  172.16.20.2...172.16.20.1  IKEv1
     net-net:   local:  [centos2.test.net] uses pre-shared key
authentication
     net-net:   remote: [centos1.test.net] uses pre-shared key
authentication
     net-net:   child:  172.16.60.0/24 === 172.16.50.0/24 TUNNEL
Routed Connections:
     net-net{1}:  ROUTED, TUNNEL
     net-net{1}:   172.16.60.0/24 === 172.16.50.0/24
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 18 seconds ago, 172.16.20.2[centos2.test.net
]...172.16.20.1[centos1.test.net]
     net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i 2d73a82503c8ba33_r*,
pre-shared key reauthentication in 54 minutes
     net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    * net-net{2}:  INSTALLED, TUNNEL, ESP SPIs: c7445ee4_i c3287b68_o
*     net-net{2}:  AES_CBC_128/HMAC_SHA1_96, 660 bytes_i (0s ago), 0
bytes_o, rekeying in 14 minutes
     net-net{2}:   172.16.60.10/32[icmp] === 172.16.50.10/32[icmp/8]
     *net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c71087c5_i ccd6a57c_o
*     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 600 bytes_o (0s
ago), rekeying in 14 minutes
     net-net{1}:   172.16.60.10/32[icmp] === 172.16.50.10/32[icmp]
 *=====IKEv2 configuration and ipsec statusall=====*
 *ipsec.conf for centos1 and centos2*
ipsec.conf for centos1 and centos 2 is identical to IKEv1 configuration
with the exception that "keyexchange=ikev2" instead of "keyexchange=ikev1"
*centos1 ipsecstatusall output:*
[root at centos-01 ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
i686):
  uptime: 52 seconds, since Jul 04 13:03:28 2012
....
Listening IP addresses:
  172.16.20.1
  172.16.50.1
  192.168.0.114
Connections:
     net-net:  172.16.20.1...172.16.20.2  IKEv2
     net-net:   local:  [centos1.test.net] uses pre-shared key
authentication
     net-net:   remote: [centos2.test.net] uses pre-shared key
authentication
     net-net:   child:  172.16.50.0/24 === 172.16.60.0/24 TUNNEL
Routed Connections:
     net-net{1}:  ROUTED, TUNNEL
     net-net{1}:   172.16.50.0/24 === 172.16.60.0/24
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 14 seconds ago, 172.16.20.1[centos1.test.net
]...172.16.20.2[centos2.test.net]
     net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i* cb94400f15735d88_r,
pre-shared key reauthentication in 51 minutes
     net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    * net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c3ea4626_i cd83b323_o
*     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 600 bytes_i (0s ago), 600
bytes_o (0s ago), rekeying in 13 minutes
     net-net{1}:   172.16.50.0/24 === 172.16.60.0/24
===

 *centos2 ipsecstatusall output:*
[root at centos-02 ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
i686):
  uptime: 87 seconds, since Jul 04 13:03:45 2012
...
Listening IP addresses:
  172.16.20.2
  172.16.60.1
  192.168.0.115
Connections:
     net-net:  172.16.20.2...172.16.20.1  IKEv2
     net-net:   local:  [centos2.test.net] uses pre-shared key
authentication
     net-net:   remote: [centos1.test.net] uses pre-shared key
authentication
     net-net:   child:  172.16.60.0/24 === 172.16.50.0/24 TUNNEL
Routed Connections:
     net-net{1}:  ROUTED, TUNNEL
     net-net{1}:   172.16.60.0/24 === 172.16.50.0/24
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 75 seconds ago, 172.16.20.2[centos2.test.net
]...172.16.20.1[centos1.test.net]
     net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i cb94400f15735d88_r*,
pre-shared key reauthentication in 53 minutes
     net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    * net-net{2}:  INSTALLED, TUNNEL, ESP SPIs: cd83b323_i c3ea4626_o
*     net-net{2}:  AES_CBC_128/HMAC_SHA1_96, 4140 bytes_i (1s ago), 4140
bytes_o (1s ago), rekeying in 13 minutes
     net-net{2}:   172.16.60.0/24 === 172.16.50.0/24

Thanks you!

Jordan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120704/e666704a/attachment.html>


More information about the Users mailing list