[strongSwan] what does multiple ESTABLISHED staet for a connection mean

Shukla, Sanjay Sanjay.Shukla at ipc.com
Thu Jun 28 15:38:19 CEST 2012


I do have start on both the peers as I need to connect on start of the ipsec on both sides. Is there an alternative approach ?

Also I think uniqueids are enabled by default, I have not turned them off.

[Shukla, Sanjay]  Also want to add seeing these, how to avoid these 
LocalIP_VIP_10.19.124.154{15}:   10.19.123.105/32 === 10.19.124.154/32
   (unnamed)[206]: CONNECTING, 10.19.123.105[%any]...10.19.124.154[%any]
   (unnamed)[206]: IKE SPIs: 8d7bc10796b0ff7f_i fd39018a99a49ba9_r*
   (unnamed)[206]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   (unnamed)[206]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
   (unnamed)[207]: CONNECTING, 10.19.123.108[%any]...10.19.124.154[%any]
   (unnamed)[207]: IKE SPIs: 6c1793c824fabd75_i e7b4e2f5520694b8_r*
   (unnamed)[207]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   (unnamed)[207]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
   (unnamed)[208]: CONNECTING, 10.19.123.105[%any]...10.19.124.154[%any]
   (unnamed)[208]: IKE SPIs: 8d7bc10796b0ff7f_i 302d0468e207740f_r*
   (unnamed)[208]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   (unnamed)[208]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
   (unnamed)[209]: CONNECTING, 10.19.123.108[%any]...10.19.124.154[%any]
   (unnamed)[209]: IKE SPIs: 6c1793c824fabd75_i 06cd534e7e97e95e_r*
   (unnamed)[209]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   (unnamed)[209]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
-sanjay


-----------------------------------------------------
Please consider the environment before printing this email.

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org]
Sent: Friday, June 22, 2012 4:18 AM
To: Shukla, Sanjay
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] what does multiple ESTABLISHED staet for a connection mean

Hi,

> I am debugging an issue and was wondering what these multiple 
> ESTABLISHED states mean and if they have any detrimental effect. I 
> assume these imply there are multiple child SA’s ?

This means that you have two IKE_SAs established between your peers.
Might happen if both configurations use auto=start, or auto=route triggers tunnels simultaneously. Have a look for the "uniqueids" option in the ipsec.conf manpage to avoid multiple tunnels between the same identities.

Regards
Martin


_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list