[strongSwan] Ikev2 SADs issue

Tobias Brunner tobias at strongswan.org
Thu Mar 29 10:40:01 CEST 2012

Hi Indira,

> I configured ipsec tunnel between (H1 and H2) using ikev2 template. And
> when I send some traffic, the IPSec-SAs are getting established with out
> any issues.
> But when I issue "setkey -F" on the local node (H1), the remote node(H2)
> SADs are not getting flushed.
> There is no delete message sent to the remote end(H2) from H1.

First let me clarify that strongSwan assumes full control of the
kernel's SAD and SPD.  There is support to give up some control of the
SPD via the reqid and installpolicy keywords, but apart from that
strongSwan does not expect external changes to both of these stores.
Actually, due to the fact that the IKEv1 and IKEv2 protocols are being
handled by two separate daemons it would currently not be possible to do
it otherwise.

Now, setkey is a tool completely unrelated to strongSwan (it's from the
ipsec-tools package, same as racoon).  Since it modifies the kernel's
SAD and SPD directly (similar to iproute2 with 'ip xfrm') strongSwan is
simply not aware of those changes.

> And after this when i send traffic from my local node(H1) to the remoted
> node, a new ipsec-sa is established and there will be two SAD entries on
> host H1 but there are 4 SAD entries on H2.
> Is this correct behaviour?

This is correct.  Since the policies are still installed new acquires
will be triggered which then cause strongSwan to initiate a new SA.
Those duplicates shouldn't cause any problems as the policies will
correctly point to the new SAs.

> Could you please help me in fixing this issue

The fix is to use 'ipsec down' to tear down SAs manually (see [1]).


[1] http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

More information about the Users mailing list