[strongSwan] IKEv1 strongswan status showing multiple IPSec SAs for the same tunnel

vinay.prabhakar at wipro.com vinay.prabhakar at wipro.com
Wed Jun 13 14:01:52 CEST 2012 

Hi  Andreas,

Thank you for the reply. 

If this is case how is it different from IKEv2 ? 
With same configurations but in IKEv2, multiple SA are not seen.

Thanks and Regards,
Vinay 

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Wednesday, June 13, 2012 4:50 PM
To: Vinay Prabhakar M (WT01 - GMT-Telecom Equipment)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv1 strongswan status showing multiple IPSec SAs for the same tunnel

Hello Vinay,

your rekeying parameters are most unusual:

  keylife=300s
  rekeymargin=180s
  rekeyfuzz=50%

This means that Quick Mode rekeying starts between

  300s - 1.5*180s = 30s and 300s - 180s = 120s

after the establishment of an IPsec SA with an expected mean value of 300s - 1.25*180s = 75s.

This gives the following rekeying schedule:

Time  Quick Mode
  0s  SA#1
 75s  SA#2  (rekeying of SA#1)
150s  SA#3  (rekeying of SA#2)
225s  SA#4  (rekeying of SA#3)
300s  SA#1  expires and is deleted
300s  SA#5  (rekeying of SA#4)

As you can easily see, 4 concurrent IPsec SAs are to be expected with your rekeying settings.

Best regards

Andreas

On 13.06.2012 12:55, vinay.prabhakar at wipro.com wrote:
> Hi,
>  
> I am facing a issue with IKEv1 where multiple IPSec SAs are seen for 
> same tunnel.
> I had setup two Linux PC with strongswan 4.6.2 and with below 
> configurations. Have also attached plutologs  of both the PC's.
>  
> I would really appreciate some help.
>  
> Thanks,
> Vinay
>  
> *PC1:*
> [root at linuxpc2 etc]# cat ipsec.conf
> config setup
>   plutostart=yes
>   plutodebug=controlmore
>   nat_traversal=no
>   uniqueids=no
>   charonstart=yes
>   plutostderrlog=/tmp/plutolog.txt
>   charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, 
> enc 1, lib 1"
>  
> ca rootca0
>   cacert=cacert.pem
>   auto=start
>  
> conn %default
>   leftcert=/usr/local/etc/ipsec.d/certs/bts_cert.pem
>   auto=start
>   pfs=no
>   keyingtries=%forever
>   forceencaps=no
>   mobike=no
>  
> conn conn100
>   type=tunnel
>   leftsubnet=10.10.10.6/24
>   rightsubnet=10.10.10.7/24
>   left=10.10.10.6
>   right=10.10.10.7
>   keyexchange=ikev1
>   reauth=no 
>   ike=3des-sha1-modp1024!
>   ikelifetime=83376s
>   esp=3des-sha1!
>   authby=pubkey
>   rightid=%any
>   keylife=300s
>   dpdaction=restart
>   dpddelay=10s
>   dpdtimeout=120s
>   rekeyfuzz=50%
>   rekeymargin=180s
>   leftprotoport=1
>   rightprotoport=1
> *PC2:*
> [root at Fed14 etc]# cat ipsec.conf
> config setup
>   plutostart=yes
>   plutodebug=none
>   nat_traversal=no
>   uniqueids=no
>   charonstart=yes
>   plutostderrlog=/tmp/plutolog.txt
>   charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 2, knl 1, net 1, 
> enc 2, lib 1"
>  
> ca rootca0
>   cacert=cacert.pem
>  
> conn %default
>   leftcert=/etc/ipsec.d/certs/oms_cert.pem
>   auto=add
>   pfs=no
>   keyingtries=%forever
>   forceencaps=no
>   mobike=no
>  
> conn conn502
>   type=tunnel
>   leftsubnet=10.10.10.7/24
>   rightsubnet=10.10.10.6/24
>   left=10.10.10.7
>   right=10.10.10.6
>   keyexchange=ikev1
>  reauth=no
>   ike=3des-sha1-modp1024!
>   ikelifetime=83376s
>   esp=3des-sha1!
>   authby=pubkey
>   rightid=%any
>   keylife=86400s
>   dpdaction=restart
>   dpddelay=10s
>   dpdtimeout=120s
>   rekeyfuzz=50%
>   rekeymargin=180s
>   leftprotoport=1
>   rightprotoport=1
>  
> *Statusall of PC1:*
> [root at linuxpc2 etc]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth1/eth1 10.10.10.6:500 000 interface eth2/eth2 
> 10.125.40.64:500 000 interface virbr0/virbr0 192.168.122.1:500 000 
> %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp 
> dnskey pem gmp hmac xauth attr kernel-netlink resolve 000 debug 
> options: controlmore 000 000 "conn100": 
> 10.10.10.0/24===10.10.10.6[C=IN, ST=BLR, O=Wipro Technologies, OU=RA, 
> CN=ftm]:1/0...10.10.10.7[10.10.10.7]:1/0===10.10.10.0/24; erouted; 
> eroute owner: #6
> 000 "conn100":   CAs: "O=Wipro Technologies, OU=RA,
> E=karanjot.singh at wipro.com <mailto:E=karanjot.singh at wipro.com>, L=BLR, 
> ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
> 000 "conn100":   ike_life: 83376s; ipsec_life: 300s; rekey_margin: 180s;
> rekey_fuzz: 50%; keyingtries: 0
> 000 "conn100":   dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
> 000 "conn100":   policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24;
> interface: eth1;
> 000 "conn100":   newest ISAKMP SA: #1; newest IPsec SA: #6;
> 000 "conn100":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000 "conn100":   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
> 000
> 000 #6: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); 
> EVENT_SA_REPLACE in 70s; newest IPSEC; eroute owner 000 #6: "conn100" 
> esp.cd1fefd2 at 10.10.10.7 <mailto:esp.cd1fefd2 at 10.10.10.7> (0 bytes) 
> esp.c361a998 at 10.10.10.6 <mailto:esp.c361a998 at 10.10.10.6> (0 bytes); 
> tunnel 000 #5: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 231s 000 #5: "conn100" 
> esp.c1c20f9a at 10.10.10.7 <mailto:esp.c1c20f9a at 10.10.10.7> (0 bytes) 
> esp.c9efac8d at 10.10.10.6 <mailto:esp.c9efac8d at 10.10.10.6> (0 bytes); 
> tunnel 000 #4: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 185s 000 #4: "conn100" 
> esp.c1a2c0d0 at 10.10.10.7 <mailto:esp.c1a2c0d0 at 10.10.10.7> (0 bytes) 
> esp.c9adba01 at 10.10.10.6 <mailto:esp.c9adba01 at 10.10.10.6> (0 bytes); 
> tunnel 000 #3: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 138s 000 #3: "conn100" 
> esp.c96eb76e at 10.10.10.7 <mailto:esp.c96eb76e at 10.10.10.7> (0 bytes) 
> esp.c2df58a4 at 10.10.10.6 <mailto:esp.c2df58a4 at 10.10.10.6> (0 bytes); 
> tunnel 000 #2: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 85s 000 #2: "conn100" 
> esp.c29abdd9 at 10.10.10.7 <mailto:esp.c29abdd9 at 10.10.10.7> (0 bytes) 
> esp.c11e8f13 at 10.10.10.6 <mailto:esp.c11e8f13 at 10.10.10.6> (0 bytes); 
> tunnel 000 #1: "conn100" STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 82911s; newest ISAKMP; DPD active 000 Status of 
> IKEv2 charon daemon (strongSwan 4.6.2):
>   uptime: 3 minutes, since Jun 13 15:39:21 2012
>   malloc: sbrk 135168, mmap 0, used 76544, free 58624
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: aes des sha1 sha2 md5 random x509 revocation 
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr 
> kernel-netlink resolve socket-raw stroke updown Listening IP 
> addresses:
>   10.10.10.6
>   10.125.40.64
>   192.168.122.1
> Connections:
> Security Associations (0 up, 0 connecting):
>   none
>  
> *Statusall of PC2:*
> [root at Fed14 etc]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth1/eth1 10.10.10.7:500 000 interface eth0/eth0 
> 10.125.47.47:500 000 interface eth2/eth2 20.20.20.2:500 000 interface 
> eth1.400/eth1.400 12.1.1.10:500 000 interface eth1.500/eth1.500 
> 16.1.1.10:500 000 interface eth2.400/eth2.400 11.1.1.1:500 000 
> interface eth2.500/eth2.500 22.1.1.1:500 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp 
> dnskey pem gmp hmac xauth attr kernel-netlink resolve 000 debug 
> options: none 000 000 "conn502": 10.10.10.0/24===10.10.10.7[C=IN, 
> ST=BLR, O=Wipro Technologies, OU=RA, 
> CN=oms]:1/0...10.10.10.6[10.10.10.6]:1/0===10.10.10.0/24; erouted; 
> eroute owner: #6
> 000 "conn502":   CAs: "O=Wipro Technologies, OU=RA,
> E=karanjot.singh at wipro.com <mailto:E=karanjot.singh at wipro.com>, L=BLR, 
> ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
> 000 "conn502":   ike_life: 83376s; ipsec_life: 86400s; rekey_margin:
> 180s; rekey_fuzz: 50%; keyingtries: 0
> 000 "conn502":   dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
> 000 "conn502":   policy: PUBKEY+ENCRYPT+TUNNEL; prio: 24,24; interface:
> eth1;
> 000 "conn502":   newest ISAKMP SA: #1; newest IPsec SA: #6;
> 000 "conn502":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000 "conn502":   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
> 000
> 000 #6: "conn502" STATE_QUICK_R2 (IPsec SA established); 
> EVENT_SA_REPLACE in 202s; newest IPSEC; eroute owner 000 #6: "conn502" 
> esp.c361a998 at 10.10.10.6 <mailto:esp.c361a998 at 10.10.10.6> (0 bytes) 
> esp.cd1fefd2 at 10.10.10.7 <mailto:esp.cd1fefd2 at 10.10.10.7> (0 bytes); 
> tunnel 000 #5: "conn502" STATE_QUICK_R2 (IPsec SA established); 
> EVENT_SA_REPLACE in 149s 000 #5: "conn502" esp.c9efac8d at 10.10.10.6 
> <mailto:esp.c9efac8d at 10.10.10.6> (0 bytes) esp.c1c20f9a at 10.10.10.7 
> <mailto:esp.c1c20f9a at 10.10.10.7> (0 bytes); tunnel 000 #4: "conn502" 
> STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 103s 000 
> #4: "conn502" esp.c9adba01 at 10.10.10.6 <mailto:esp.c9adba01 at 10.10.10.6> 
> (0 bytes) esp.c1a2c0d0 at 10.10.10.7 <mailto:esp.c1a2c0d0 at 10.10.10.7> (0 
> bytes); tunnel 000 #3: "conn502" STATE_QUICK_R2 (IPsec SA 
> established); EVENT_SA_REPLACE in 55s 000 #3: "conn502" 
> esp.c2df58a4 at 10.10.10.6 <mailto:esp.c2df58a4 at 10.10.10.6> (0 bytes) 
> esp.c96eb76e at 10.10.10.7 <mailto:esp.c96eb76e at 10.10.10.7> (0 bytes); 
> tunnel 000 #2: "conn502" STATE_QUICK_R2 (IPsec SA established); 
> EVENT_SA_REPLACE in 3s 000 #2: "conn502" esp.c11e8f13 at 10.10.10.6 
> <mailto:esp.c11e8f13 at 10.10.10.6> (0 bytes) esp.c29abdd9 at 10.10.10.7 
> <mailto:esp.c29abdd9 at 10.10.10.7> (0 bytes); tunnel 000 #1: "conn502" 
> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 
> 83079s; newest ISAKMP; DPD active 000 Status of IKEv2 charon daemon 
> (strongSwan 4.6.2):
>   uptime: 3 minutes, since Jun 13 15:40:12 2012
>   malloc: sbrk 135168, mmap 0, used 81296, free 53872
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: aes des sha1 sha2 md5 random x509 revocation 
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr 
> kernel-netlink resolve socket-raw stroke updown Listening IP 
> addresses:
>   10.10.10.7
>   10.125.47.47
>   20.20.20.2
>   12.1.1.10
>   16.1.1.10
>   11.1.1.1
>   22.1.1.1
> Connections:
> Security Associations (0 up, 0 connecting):
>   none
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==


Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com

More information about the Users mailing list