[strongSwan] Multiple chiled SA's

Brian Sanders brian.sanders at gmail.com
Fri Aug 2 14:51:57 CEST 2013 

I am having an issue where multiple child SA's are created for one IKE SA.
 I have seen this case exist, and both the server and the end point are
using the same SA's and everything is ok.  Then there are times when my
tunnel goes down, and the server and endpoint are both sending with
different SA's, and no traffic passed between the servers.


I ran ipsecstatusall while it was down and this is what is displayed:

server1[16]: ESTABLISHED 56 minutes ago, 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
         server1[16]: IKEv2 SPIs: 6879194497057724_i* e2db0981a5da0077_r,
pre-shared key reauthentication in 100 minutes
         server1[16]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
         server1{13}:  INSTALLED, TUNNEL, ESP SPIs: c1933ff3_i c28aff87_o
         server1{13}:  AES_GCM_16_256, 4894 bytes_i (33 pkts, 740s ago),
66728 bytes_o (676 pkts, 1s ago), rekeying in 31 minutes
         server1{13}:   10.220.0.53/32 === 10.220.0.54/32
         server1{12}:  INSTALLED, TUNNEL, ESP SPIs: c2096503_i c5883dc9_o
         server1{12}:  AES_GCM_16_256, 19492 bytes_i (126 pkts, 3s ago), 76
bytes_o (1 pkt, 349s ago), rekeying in 34 minutes
         server1{12}:   10.220.0.53/32 === 10.220.0.54/32


Here you can see the SPI c1933ff3_i was used 740s ago, while the c28aff87_o
was used 1 second ago.  So the server (which this status was from) hasn't
seen any inbound packets on the {13} Child SA, but has been talking out of
it.  Conversely the {12} SA shows inbound packets 3s ago, while the
outbound channel is 349s old.  So I have 2 Child SA's for my IKE SA, and it
is sending from one and receiving on the other.  As I understand it, this
condition shouldn't exist and it never does in my test environment.  The
only difference I can determine between test and production is that the
test environment has very low latency between server and client, while the
production could have 100+ms latency to the other end.

Am I hitting some race condition here?  Can anyone help shed some light on
this for me?


If It helps, these are my settings for the tunnel.

conn server1
      keyexchange=ikev2
      authby=secret
      left=%defaultroute
      leftsubnet=10.220.0.53/32
      right=2.2.2.2
      rightsubnet=10.220.0.54/32
      auto=route
      dpdaction=clear
      ike=aes256-sha256-modp3072!
      esp=aes256gcm16-modp3072!


conn core
      keyexchange=ikev2
      authby=secret
      left=%defaultroute
      leftsubnet=10.220.0.54/32
      right=1.1.1.1
      rightsubnet=10.220.0.53/32
      auto=add
      dpdaction=clear
      rekey=no
      ike=aes256-sha256-modp3072!
      esp=aes256gcm16-modp3072!


As you can see I have gone as far as telling the remote machine to not even
initiate rekeying (it will respond to a request though) in an attempt to
stop this issue from taking my network down.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130802/b737c0aa/attachment.html>

More information about the Users mailing list