[strongSwan] IKEv1 duplicate tunnels installed (4 SPIs)?

yordanos beyene yordanosb at gmail.com
Fri Jul 6 10:44:55 CEST 2012


Hi Again,

Can any one please explain why strongSwan 5.0.0 IKEv1 installs two
tunnels but only one with IKEv2? Is this expected behaviour ?

Thanks!

Jordan.
On Wed, Jul 4, 2012 at 3:59 PM, yordanos beyene <yordanosb at gmail.com> wrote:

> Hi,
>
> I created *site-to-site* vpn with strongSwan 5.0.0. IKEv1 installs
> duplicate tunnels but IKEv2 works as expected.
> See my configuration and ipsec statusall output for both scenarios. Please
> advise if the IKEv1 output is expected or if there is any change I need to
> make in my configuration.
>
> strongswan is running on two centos machines, and my end hosts are win7. I
> initiated the IKE negotiation by staring ping from one win7 host to other.
>
> *=====IKEv1 configuration and ipsec statusall=====*
> *ipsec.conf for centos1*
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>         #plutodebug=control
>         #plutostart=no
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
> conn net-net
>         keyingtries=1
>         keyexchange=ikev1
>         authby=secret
>         left=172.16.20.1
>         leftsubnet=172.16.50.0/24
>         leftid=@centos1.test.net
>         leftfirewall=no
>         right=172.16.20.2
>         rightsubnet=172.16.60.0/24
>         rightid=@centos2.test.net
>         auto=route
>  *ipsec.conf for centos2*
>   # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>         #plutodebug=control
>         #plutostart=no
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
> conn net-net
>         keyingtries=1
>         keyexchange=ikev1
>         authby=secret
>         left=172.16.20.2
>         leftsubnet=172.16.60.0/24
>         leftid=@centos2.test.net
>         leftfirewall=no
>         right=172.16.20.1
>         rightsubnet=172.16.50.0/24
>         rightid=@centos1.test.net
>         auto=route
>
> *centos1 ipsecstatusall output*
> [root at centos-01 ~]# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
> i686):
>   uptime: 65 seconds, since Jul 04 12:58:34 2012
> ...
> Listening IP addresses:
>   172.16.20.1
>   172.16.50.1
>   192.168.0.114
> Connections:
>      net-net:  172.16.20.1...172.16.20.2  IKEv1
>      net-net:   local:  [centos1.test.net] uses pre-shared key
> authentication
>      net-net:   remote: [centos2.test.net] uses pre-shared key
> authentication
>      net-net:   child:  172.16.50.0/24 === 172.16.60.0/24 TUNNEL
> Routed Connections:
>      net-net{1}:  ROUTED, TUNNEL
>      net-net{1}:   172.16.50.0/24 === 172.16.60.0/24
> Security Associations (1 up, 0 connecting):
>      net-net[1]: ESTABLISHED 26 seconds ago, 172.16.20.1[centos1.test.net
> ]...172.16.20.2[centos2.test.net]
>      net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i* 2d73a82503c8ba33_r,
> pre-shared key reauthentication in 54 minutes
>      net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>      *net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c3287b68_i c7445ee4_o
> *     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 1020 bytes_o (1s
> ago), rekeying in 15 minutes
>      net-net{1}:   172.16.50.10/32[icmp/8]<http://172.16.50.10/32%5Bicmp/8%5D>===
> 172.16.60.10/32[icmp] <http://172.16.60.10/32%5Bicmp%5D>
>      *net-net{2}:  INSTALLED, TUNNEL, ESP SPIs: ccd6a57c_i c71087c5_o
> *     net-net{2}:  AES_CBC_128/HMAC_SHA1_96, 960 bytes_i (1s ago), 0
> bytes_o, rekeying in 14 minutes
>      net-net{2}:   172.16.50.10/32[icmp]<http://172.16.50.10/32%5Bicmp%5D>===
> 172.16.60.10/32[icmp] <http://172.16.60.10/32%5Bicmp%5D>
>  *centos2 ipsecstatusall output:*
> [root at centos-02 ~]# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
> i686):
>   uptime: 39 seconds, since Jul 04 12:58:45 2012
> ...
> Listening IP addresses:
>   172.16.20.2
>   172.16.60.1
>   192.168.0.115
> Connections:
>      net-net:  172.16.20.2...172.16.20.1  IKEv1
>      net-net:   local:  [centos2.test.net] uses pre-shared key
> authentication
>      net-net:   remote: [centos1.test.net] uses pre-shared key
> authentication
>      net-net:   child:  172.16.60.0/24 === 172.16.50.0/24 TUNNEL
> Routed Connections:
>      net-net{1}:  ROUTED, TUNNEL
>      net-net{1}:   172.16.60.0/24 === 172.16.50.0/24
> Security Associations (1 up, 0 connecting):
>      net-net[1]: ESTABLISHED 18 seconds ago, 172.16.20.2[centos2.test.net
> ]...172.16.20.1[centos1.test.net]
>      net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i 2d73a82503c8ba33_r*,
> pre-shared key reauthentication in 54 minutes
>      net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>     * net-net{2}:  INSTALLED, TUNNEL, ESP SPIs: c7445ee4_i c3287b68_o
> *     net-net{2}:  AES_CBC_128/HMAC_SHA1_96, 660 bytes_i (0s ago), 0
> bytes_o, rekeying in 14 minutes
>      net-net{2}:   172.16.60.10/32[icmp]<http://172.16.60.10/32%5Bicmp%5D>===
> 172.16.50.10/32[icmp/8] <http://172.16.50.10/32%5Bicmp/8%5D>
>      *net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c71087c5_i ccd6a57c_o
> *     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 600 bytes_o (0s
> ago), rekeying in 14 minutes
>      net-net{1}:   172.16.60.10/32[icmp]<http://172.16.60.10/32%5Bicmp%5D>===
> 172.16.50.10/32[icmp] <http://172.16.50.10/32%5Bicmp%5D>
>  *=====IKEv2 configuration and ipsec statusall=====*
>  *ipsec.conf for centos1 and centos2*
> ipsec.conf for centos1 and centos 2 is identical to IKEv1 configuration
> with the exception that "keyexchange=ikev2" instead of "keyexchange=ikev1"
> *centos1 ipsecstatusall output:*
> [root at centos-01 ~]# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
> i686):
>   uptime: 52 seconds, since Jul 04 13:03:28 2012
> ....
> Listening IP addresses:
>   172.16.20.1
>   172.16.50.1
>   192.168.0.114
> Connections:
>      net-net:  172.16.20.1...172.16.20.2  IKEv2
>      net-net:   local:  [centos1.test.net] uses pre-shared key
> authentication
>      net-net:   remote: [centos2.test.net] uses pre-shared key
> authentication
>      net-net:   child:  172.16.50.0/24 === 172.16.60.0/24 TUNNEL
> Routed Connections:
>      net-net{1}:  ROUTED, TUNNEL
>      net-net{1}:   172.16.50.0/24 === 172.16.60.0/24
> Security Associations (1 up, 0 connecting):
>      net-net[1]: ESTABLISHED 14 seconds ago, 172.16.20.1[centos1.test.net
> ]...172.16.20.2[centos2.test.net]
>      net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i* cb94400f15735d88_r,
> pre-shared key reauthentication in 51 minutes
>      net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>     * net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c3ea4626_i cd83b323_o
> *     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 600 bytes_i (0s ago), 600
> bytes_o (0s ago), rekeying in 13 minutes
>      net-net{1}:   172.16.50.0/24 === 172.16.60.0/24
> ===
>
>  *centos2 ipsecstatusall output:*
> [root at centos-02 ~]# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686,
> i686):
>   uptime: 87 seconds, since Jul 04 13:03:45 2012
> ...
> Listening IP addresses:
>   172.16.20.2
>   172.16.60.1
>   192.168.0.115
> Connections:
>      net-net:  172.16.20.2...172.16.20.1  IKEv2
>      net-net:   local:  [centos2.test.net] uses pre-shared key
> authentication
>      net-net:   remote: [centos1.test.net] uses pre-shared key
> authentication
>      net-net:   child:  172.16.60.0/24 === 172.16.50.0/24 TUNNEL
> Routed Connections:
>      net-net{1}:  ROUTED, TUNNEL
>      net-net{1}:   172.16.60.0/24 === 172.16.50.0/24
> Security Associations (1 up, 0 connecting):
>      net-net[1]: ESTABLISHED 75 seconds ago, 172.16.20.2[centos2.test.net
> ]...172.16.20.1[centos1.test.net]
>      net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i cb94400f15735d88_r*,
> pre-shared key reauthentication in 53 minutes
>      net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>     * net-net{2}:  INSTALLED, TUNNEL, ESP SPIs: cd83b323_i c3ea4626_o
> *     net-net{2}:  AES_CBC_128/HMAC_SHA1_96, 4140 bytes_i (1s ago), 4140
> bytes_o (1s ago), rekeying in 13 minutes
>      net-net{2}:   172.16.60.0/24 === 172.16.50.0/24
>
> Thanks you!
>
> Jordan.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120706/18cb6bdd/attachment.html>


More information about the Users mailing list