[strongSwan] can't establish tunnels with SS 5 - duplicate SP installed.
yordanos beyene
yordanosb at gmail.com
Wed Sep 19 07:06:16 CEST 2012
Hi Everyone,
I appreciate any tips to bring up net-net tunnels in my environment. I am
using strongswan 5.0.0.
I have the ipsec.conf and ipsec status output below. When I initiate
traffic from host in one network to the other, I don't see IKE packets and
no tunnels get established.I do see duplicate security policy (SP)
installed for one direction (total 3 policies) which is unusual. I
appreciate any tips why I see duplicate SP and how to resolve the issue.
The SP (setkey -DP) output from the one vpn box is also below. I observe a
similar behavior on the other vpn box. When I use "auto=start", the
behavior is not consistent. Occasional tunnels get established but I can't
pass traffic from end hosts.
root at jordan:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.34, x86_64):
uptime: 3 seconds, since Sep 19 12:35:05 2012
malloc: sbrk 270336, mmap 0, used 258480, free 11856
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon random nonce x509 revocation constraints pubkey
pkcs1 pkcs8 pgp dnskey pem xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown xauth-generic xauth-eap openssl sha1 fips-prf
eap-mschapv2 eap-radius eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
eap-simaka-reauth eap-identity
Listening IP addresses:
172.16.20.2
172.16.40.2
15.255.125.181
Connections:
net-net: 172.16.20.2...172.16.20.3 IKEv2
net-net: local: [main.com] uses pre-shared key authentication
net-net: remote: [branch.com] uses pre-shared key authentication
net-net: child: 172.16.40.10/32 === 172.16.50.10/32 TUNNEL
Routed Connections:
net-net{1}: ROUTED, TUNNEL
net-net{1}: 172.16.40.10/32 === 172.16.50.10/32
Security Associations (0 up, 0 connecting):
none
=======duplicate SP for one direction================
root at jordan:~# setkey -DP
172.16.50.10[any] 172.16.40.10[any] any
any priority=3843 index=0x800003a2 ipsec
esp/tunnel/172.16.20.3-172.16.20.2/unique:1
created: Sep 19 12:35:05 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=0x800003a2 seq=1 pid=23287
refcnt=2
vrfid=0 linkvrfid=0
172.16.50.10[any] 172.16.40.10[any] any
in priority=3843 index=0x80000398 ipsec
esp/tunnel/172.16.20.3-172.16.20.2/unique:1
created: Sep 19 12:35:05 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=0x80000398 seq=2 pid=23287
refcnt=2
vrfid=0 linkvrfid=0
172.16.40.10[any] 172.16.50.10[any] any
out priority=3843 index=0x80000391 ipsec
esp/tunnel/172.16.20.2-172.16.20.3/unique:1
created: Sep 19 12:35:05 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=0x80000391 seq=3 pid=23287
refcnt=2
vrfid=0 linkvrfid=0
=====
# /etc/ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
mobike=no
conn net-net
keyexchange=ikev2
left=172.16.20.2
leftsubnet=172.16.40.10/32
leftid=@main.com
right=172.16.20.3
rightsubnet=172.16.50.10/32
rightid=@branch.com
auto=route
======
Thanks!
Jordan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120918/98e73e57/attachment.html>
More information about the Users
mailing list