[strongSwan] IKEv1 strongswan status showing multiple IPSec SAs for the same tunnel

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 13 13:19:54 CEST 2012 

Hello Vinay,

your rekeying parameters are most unusual:

  keylife=300s
  rekeymargin=180s
  rekeyfuzz=50%

This means that Quick Mode rekeying starts between

  300s - 1.5*180s = 30s and 300s - 180s = 120s

after the establishment of an IPsec SA with an expected
mean value of 300s - 1.25*180s = 75s.

This gives the following rekeying schedule:

Time  Quick Mode
  0s  SA#1
 75s  SA#2  (rekeying of SA#1)
150s  SA#3  (rekeying of SA#2)
225s  SA#4  (rekeying of SA#3)
300s  SA#1  expires and is deleted
300s  SA#5  (rekeying of SA#4)

As you can easily see, 4 concurrent IPsec SAs are to
be expected with your rekeying settings.

Best regards

Andreas

On 13.06.2012 12:55, vinay.prabhakar at wipro.com wrote:
> Hi,
>  
> I am facing a issue with IKEv1 where multiple IPSec SAs are seen for
> same tunnel.
> I had setup two Linux PC with strongswan 4.6.2 and with below
> configurations. Have also attached plutologs  of both the PC's.
>  
> I would really appreciate some help.
>  
> Thanks,
> Vinay
>  
> *PC1:*
> [root at linuxpc2 etc]# cat ipsec.conf
> config setup
>   plutostart=yes
>   plutodebug=controlmore
>   nat_traversal=no
>   uniqueids=no
>   charonstart=yes
>   plutostderrlog=/tmp/plutolog.txt
>   charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1,
> enc 1, lib 1"
>  
> ca rootca0
>   cacert=cacert.pem
>   auto=start
>  
> conn %default
>   leftcert=/usr/local/etc/ipsec.d/certs/bts_cert.pem
>   auto=start
>   pfs=no
>   keyingtries=%forever
>   forceencaps=no
>   mobike=no
>  
> conn conn100
>   type=tunnel
>   leftsubnet=10.10.10.6/24
>   rightsubnet=10.10.10.7/24
>   left=10.10.10.6
>   right=10.10.10.7
>   keyexchange=ikev1
>   reauth=no 
>   ike=3des-sha1-modp1024!
>   ikelifetime=83376s
>   esp=3des-sha1!
>   authby=pubkey
>   rightid=%any
>   keylife=300s
>   dpdaction=restart
>   dpddelay=10s
>   dpdtimeout=120s
>   rekeyfuzz=50%
>   rekeymargin=180s
>   leftprotoport=1
>   rightprotoport=1
> *PC2:*
> [root at Fed14 etc]# cat ipsec.conf
> config setup
>   plutostart=yes
>   plutodebug=none
>   nat_traversal=no
>   uniqueids=no
>   charonstart=yes
>   plutostderrlog=/tmp/plutolog.txt
>   charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 2, knl 1, net 1,
> enc 2, lib 1"
>  
> ca rootca0
>   cacert=cacert.pem
>  
> conn %default
>   leftcert=/etc/ipsec.d/certs/oms_cert.pem
>   auto=add
>   pfs=no
>   keyingtries=%forever
>   forceencaps=no
>   mobike=no
>  
> conn conn502
>   type=tunnel
>   leftsubnet=10.10.10.7/24
>   rightsubnet=10.10.10.6/24
>   left=10.10.10.7
>   right=10.10.10.6
>   keyexchange=ikev1
>  reauth=no
>   ike=3des-sha1-modp1024!
>   ikelifetime=83376s
>   esp=3des-sha1!
>   authby=pubkey
>   rightid=%any
>   keylife=86400s
>   dpdaction=restart
>   dpddelay=10s
>   dpdtimeout=120s
>   rekeyfuzz=50%
>   rekeymargin=180s
>   leftprotoport=1
>   rightprotoport=1
>  
> *Statusall of PC1:*
> [root at linuxpc2 etc]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth1/eth1 10.10.10.6:500
> 000 interface eth2/eth2 10.125.40.64:500
> 000 interface virbr0/virbr0 192.168.122.1:500
> 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp
> dnskey pem gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: controlmore
> 000
> 000 "conn100": 10.10.10.0/24===10.10.10.6[C=IN, ST=BLR, O=Wipro
> Technologies, OU=RA,
> CN=ftm]:1/0...10.10.10.7[10.10.10.7]:1/0===10.10.10.0/24; erouted;
> eroute owner: #6
> 000 "conn100":   CAs: "O=Wipro Technologies, OU=RA,
> E=karanjot.singh at wipro.com <mailto:E=karanjot.singh at wipro.com>, L=BLR,
> ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
> 000 "conn100":   ike_life: 83376s; ipsec_life: 300s; rekey_margin: 180s;
> rekey_fuzz: 50%; keyingtries: 0
> 000 "conn100":   dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
> 000 "conn100":   policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24;
> interface: eth1;
> 000 "conn100":   newest ISAKMP SA: #1; newest IPsec SA: #6;
> 000 "conn100":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000 "conn100":   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
> 000
> 000 #6: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 70s; newest IPSEC; eroute owner
> 000 #6: "conn100" esp.cd1fefd2 at 10.10.10.7
> <mailto:esp.cd1fefd2 at 10.10.10.7> (0 bytes) esp.c361a998 at 10.10.10.6
> <mailto:esp.c361a998 at 10.10.10.6> (0 bytes); tunnel
> 000 #5: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_EXPIRE in 231s
> 000 #5: "conn100" esp.c1c20f9a at 10.10.10.7
> <mailto:esp.c1c20f9a at 10.10.10.7> (0 bytes) esp.c9efac8d at 10.10.10.6
> <mailto:esp.c9efac8d at 10.10.10.6> (0 bytes); tunnel
> 000 #4: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_EXPIRE in 185s
> 000 #4: "conn100" esp.c1a2c0d0 at 10.10.10.7
> <mailto:esp.c1a2c0d0 at 10.10.10.7> (0 bytes) esp.c9adba01 at 10.10.10.6
> <mailto:esp.c9adba01 at 10.10.10.6> (0 bytes); tunnel
> 000 #3: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_EXPIRE in 138s
> 000 #3: "conn100" esp.c96eb76e at 10.10.10.7
> <mailto:esp.c96eb76e at 10.10.10.7> (0 bytes) esp.c2df58a4 at 10.10.10.6
> <mailto:esp.c2df58a4 at 10.10.10.6> (0 bytes); tunnel
> 000 #2: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_EXPIRE in 85s
> 000 #2: "conn100" esp.c29abdd9 at 10.10.10.7
> <mailto:esp.c29abdd9 at 10.10.10.7> (0 bytes) esp.c11e8f13 at 10.10.10.6
> <mailto:esp.c11e8f13 at 10.10.10.6> (0 bytes); tunnel
> 000 #1: "conn100" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 82911s; newest ISAKMP; DPD active
> 000
> Status of IKEv2 charon daemon (strongSwan 4.6.2):
>   uptime: 3 minutes, since Jun 13 15:39:21 2012
>   malloc: sbrk 135168, mmap 0, used 76544, free 58624
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr
> kernel-netlink resolve socket-raw stroke updown
> Listening IP addresses:
>   10.10.10.6
>   10.125.40.64
>   192.168.122.1
> Connections:
> Security Associations (0 up, 0 connecting):
>   none
>  
> *Statusall of PC2:*
> [root at Fed14 etc]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth1/eth1 10.10.10.7:500
> 000 interface eth0/eth0 10.125.47.47:500
> 000 interface eth2/eth2 20.20.20.2:500
> 000 interface eth1.400/eth1.400 12.1.1.10:500
> 000 interface eth1.500/eth1.500 16.1.1.10:500
> 000 interface eth2.400/eth2.400 11.1.1.1:500
> 000 interface eth2.500/eth2.500 22.1.1.1:500
> 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp
> dnskey pem gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: none
> 000
> 000 "conn502": 10.10.10.0/24===10.10.10.7[C=IN, ST=BLR, O=Wipro
> Technologies, OU=RA,
> CN=oms]:1/0...10.10.10.6[10.10.10.6]:1/0===10.10.10.0/24; erouted;
> eroute owner: #6
> 000 "conn502":   CAs: "O=Wipro Technologies, OU=RA,
> E=karanjot.singh at wipro.com <mailto:E=karanjot.singh at wipro.com>, L=BLR,
> ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
> 000 "conn502":   ike_life: 83376s; ipsec_life: 86400s; rekey_margin:
> 180s; rekey_fuzz: 50%; keyingtries: 0
> 000 "conn502":   dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
> 000 "conn502":   policy: PUBKEY+ENCRYPT+TUNNEL; prio: 24,24; interface:
> eth1;
> 000 "conn502":   newest ISAKMP SA: #1; newest IPsec SA: #6;
> 000 "conn502":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000 "conn502":   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
> 000
> 000 #6: "conn502" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 202s; newest IPSEC; eroute owner
> 000 #6: "conn502" esp.c361a998 at 10.10.10.6
> <mailto:esp.c361a998 at 10.10.10.6> (0 bytes) esp.cd1fefd2 at 10.10.10.7
> <mailto:esp.cd1fefd2 at 10.10.10.7> (0 bytes); tunnel
> 000 #5: "conn502" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 149s
> 000 #5: "conn502" esp.c9efac8d at 10.10.10.6
> <mailto:esp.c9efac8d at 10.10.10.6> (0 bytes) esp.c1c20f9a at 10.10.10.7
> <mailto:esp.c1c20f9a at 10.10.10.7> (0 bytes); tunnel
> 000 #4: "conn502" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 103s
> 000 #4: "conn502" esp.c9adba01 at 10.10.10.6
> <mailto:esp.c9adba01 at 10.10.10.6> (0 bytes) esp.c1a2c0d0 at 10.10.10.7
> <mailto:esp.c1a2c0d0 at 10.10.10.7> (0 bytes); tunnel
> 000 #3: "conn502" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 55s
> 000 #3: "conn502" esp.c2df58a4 at 10.10.10.6
> <mailto:esp.c2df58a4 at 10.10.10.6> (0 bytes) esp.c96eb76e at 10.10.10.7
> <mailto:esp.c96eb76e at 10.10.10.7> (0 bytes); tunnel
> 000 #2: "conn502" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 3s
> 000 #2: "conn502" esp.c11e8f13 at 10.10.10.6
> <mailto:esp.c11e8f13 at 10.10.10.6> (0 bytes) esp.c29abdd9 at 10.10.10.7
> <mailto:esp.c29abdd9 at 10.10.10.7> (0 bytes); tunnel
> 000 #1: "conn502" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_REPLACE in 83079s; newest ISAKMP; DPD active
> 000
> Status of IKEv2 charon daemon (strongSwan 4.6.2):
>   uptime: 3 minutes, since Jun 13 15:40:12 2012
>   malloc: sbrk 135168, mmap 0, used 81296, free 53872
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr
> kernel-netlink resolve socket-raw stroke updown
> Listening IP addresses:
>   10.10.10.7
>   10.125.47.47
>   20.20.20.2
>   12.1.1.10
>   16.1.1.10
>   11.1.1.1
>   22.1.1.1
> Connections:
> Security Associations (0 up, 0 connecting):
>   none
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120613/a3f91bf6/attachment.bin>

More information about the Users mailing list