[strongSwan] IKEv1 strongswan status showing multiple IPSec SAs for the same tunnel
vinay.prabhakar at wipro.com
vinay.prabhakar at wipro.com
Wed Jun 13 12:55:41 CEST 2012
Hi,
I am facing a issue with IKEv1 where multiple IPSec SAs are seen for same tunnel.
I had setup two Linux PC with strongswan 4.6.2 and with below configurations. Have also attached plutologs of both the PC's.
I would really appreciate some help.
Thanks,
Vinay
PC1:
[root at linuxpc2 etc]# cat ipsec.conf
config setup
plutostart=yes
plutodebug=controlmore
nat_traversal=no
uniqueids=no
charonstart=yes
plutostderrlog=/tmp/plutolog.txt
charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, enc 1, lib 1"
ca rootca0
cacert=cacert.pem
auto=start
conn %default
leftcert=/usr/local/etc/ipsec.d/certs/bts_cert.pem
auto=start
pfs=no
keyingtries=%forever
forceencaps=no
mobike=no
conn conn100
type=tunnel
leftsubnet=10.10.10.6/24
rightsubnet=10.10.10.7/24
left=10.10.10.6
right=10.10.10.7
keyexchange=ikev1
reauth=no
ike=3des-sha1-modp1024!
ikelifetime=83376s
esp=3des-sha1!
authby=pubkey
rightid=%any
keylife=300s
dpdaction=restart
dpddelay=10s
dpdtimeout=120s
rekeyfuzz=50%
rekeymargin=180s
leftprotoport=1
rightprotoport=1
PC2:
[root at Fed14 etc]# cat ipsec.conf
config setup
plutostart=yes
plutodebug=none
nat_traversal=no
uniqueids=no
charonstart=yes
plutostderrlog=/tmp/plutolog.txt
charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 2, knl 1, net 1, enc 2, lib 1"
ca rootca0
cacert=cacert.pem
conn %default
leftcert=/etc/ipsec.d/certs/oms_cert.pem
auto=add
pfs=no
keyingtries=%forever
forceencaps=no
mobike=no
conn conn502
type=tunnel
leftsubnet=10.10.10.7/24
rightsubnet=10.10.10.6/24
left=10.10.10.7
right=10.10.10.6
keyexchange=ikev1
reauth=no
ike=3des-sha1-modp1024!
ikelifetime=83376s
esp=3des-sha1!
authby=pubkey
rightid=%any
keylife=86400s
dpdaction=restart
dpddelay=10s
dpdtimeout=120s
rekeyfuzz=50%
rekeymargin=180s
leftprotoport=1
rightprotoport=1
Statusall of PC1:
[root at linuxpc2 etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth1/eth1 10.10.10.6:500
000 interface eth2/eth2 10.125.40.64:500
000 interface virbr0/virbr0 192.168.122.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: controlmore
000
000 "conn100": 10.10.10.0/24===10.10.10.6[C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=ftm]:1/0...10.10.10.7[10.10.10.7]:1/0===10.10.10.0/24; erouted; eroute owner: #6
000 "conn100": CAs: "O=Wipro Technologies, OU=RA, E=karanjot.singh at wipro.com<mailto:E=karanjot.singh at wipro.com>, L=BLR, ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
000 "conn100": ike_life: 83376s; ipsec_life: 300s; rekey_margin: 180s; rekey_fuzz: 50%; keyingtries: 0
000 "conn100": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
000 "conn100": policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth1;
000 "conn100": newest ISAKMP SA: #1; newest IPsec SA: #6;
000 "conn100": IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000 "conn100": ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
000
000 #6: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 70s; newest IPSEC; eroute owner
000 #6: "conn100" esp.cd1fefd2 at 10.10.10.7<mailto:esp.cd1fefd2 at 10.10.10.7> (0 bytes) esp.c361a998 at 10.10.10.6<mailto:esp.c361a998 at 10.10.10.6> (0 bytes); tunnel
000 #5: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 231s
000 #5: "conn100" esp.c1c20f9a at 10.10.10.7<mailto:esp.c1c20f9a at 10.10.10.7> (0 bytes) esp.c9efac8d at 10.10.10.6<mailto:esp.c9efac8d at 10.10.10.6> (0 bytes); tunnel
000 #4: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 185s
000 #4: "conn100" esp.c1a2c0d0 at 10.10.10.7<mailto:esp.c1a2c0d0 at 10.10.10.7> (0 bytes) esp.c9adba01 at 10.10.10.6<mailto:esp.c9adba01 at 10.10.10.6> (0 bytes); tunnel
000 #3: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 138s
000 #3: "conn100" esp.c96eb76e at 10.10.10.7<mailto:esp.c96eb76e at 10.10.10.7> (0 bytes) esp.c2df58a4 at 10.10.10.6<mailto:esp.c2df58a4 at 10.10.10.6> (0 bytes); tunnel
000 #2: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 85s
000 #2: "conn100" esp.c29abdd9 at 10.10.10.7<mailto:esp.c29abdd9 at 10.10.10.7> (0 bytes) esp.c11e8f13 at 10.10.10.6<mailto:esp.c11e8f13 at 10.10.10.6> (0 bytes); tunnel
000 #1: "conn100" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 82911s; newest ISAKMP; DPD active
000
Status of IKEv2 charon daemon (strongSwan 4.6.2):
uptime: 3 minutes, since Jun 13 15:39:21 2012
malloc: sbrk 135168, mmap 0, used 76544, free 58624
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Listening IP addresses:
10.10.10.6
10.125.40.64
192.168.122.1
Connections:
Security Associations (0 up, 0 connecting):
none
Statusall of PC2:
[root at Fed14 etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth1/eth1 10.10.10.7:500
000 interface eth0/eth0 10.125.47.47:500
000 interface eth2/eth2 20.20.20.2:500
000 interface eth1.400/eth1.400 12.1.1.10:500
000 interface eth1.500/eth1.500 16.1.1.10:500
000 interface eth2.400/eth2.400 11.1.1.1:500
000 interface eth2.500/eth2.500 22.1.1.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "conn502": 10.10.10.0/24===10.10.10.7[C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=oms]:1/0...10.10.10.6[10.10.10.6]:1/0===10.10.10.0/24; erouted; eroute owner: #6
000 "conn502": CAs: "O=Wipro Technologies, OU=RA, E=karanjot.singh at wipro.com<mailto:E=karanjot.singh at wipro.com>, L=BLR, ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
000 "conn502": ike_life: 83376s; ipsec_life: 86400s; rekey_margin: 180s; rekey_fuzz: 50%; keyingtries: 0
000 "conn502": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
000 "conn502": policy: PUBKEY+ENCRYPT+TUNNEL; prio: 24,24; interface: eth1;
000 "conn502": newest ISAKMP SA: #1; newest IPsec SA: #6;
000 "conn502": IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000 "conn502": ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
000
000 #6: "conn502" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 202s; newest IPSEC; eroute owner
000 #6: "conn502" esp.c361a998 at 10.10.10.6<mailto:esp.c361a998 at 10.10.10.6> (0 bytes) esp.cd1fefd2 at 10.10.10.7<mailto:esp.cd1fefd2 at 10.10.10.7> (0 bytes); tunnel
000 #5: "conn502" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 149s
000 #5: "conn502" esp.c9efac8d at 10.10.10.6<mailto:esp.c9efac8d at 10.10.10.6> (0 bytes) esp.c1c20f9a at 10.10.10.7<mailto:esp.c1c20f9a at 10.10.10.7> (0 bytes); tunnel
000 #4: "conn502" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 103s
000 #4: "conn502" esp.c9adba01 at 10.10.10.6<mailto:esp.c9adba01 at 10.10.10.6> (0 bytes) esp.c1a2c0d0 at 10.10.10.7<mailto:esp.c1a2c0d0 at 10.10.10.7> (0 bytes); tunnel
000 #3: "conn502" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 55s
000 #3: "conn502" esp.c2df58a4 at 10.10.10.6<mailto:esp.c2df58a4 at 10.10.10.6> (0 bytes) esp.c96eb76e at 10.10.10.7<mailto:esp.c96eb76e at 10.10.10.7> (0 bytes); tunnel
000 #2: "conn502" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3s
000 #2: "conn502" esp.c11e8f13 at 10.10.10.6<mailto:esp.c11e8f13 at 10.10.10.6> (0 bytes) esp.c29abdd9 at 10.10.10.7<mailto:esp.c29abdd9 at 10.10.10.7> (0 bytes); tunnel
000 #1: "conn502" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 83079s; newest ISAKMP; DPD active
000
Status of IKEv2 charon daemon (strongSwan 4.6.2):
uptime: 3 minutes, since Jun 13 15:40:12 2012
malloc: sbrk 135168, mmap 0, used 81296, free 53872
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Listening IP addresses:
10.10.10.7
10.125.47.47
20.20.20.2
12.1.1.10
16.1.1.10
11.1.1.1
22.1.1.1
Connections:
Security Associations (0 up, 0 connecting):
none
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pc1_ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pc1_ipsec_statusall.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pc1_plutolog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pc1_latest_plutolog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment-0003.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pc2_ipsec_statusall.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pc2_plutolog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment-0005.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pc2_ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/1ac56558/attachment-0006.txt>
More information about the Users
mailing list