[strongSwan] Multiple chiled SA's

Fri Aug 2 16:43:31 CEST 2013

Some additional information, I looked back at my syslog to try and see
when/why the two SA's were created in the first place.  From this log it
appears to me that after re-making the IKE_SA and child SA (because they
should be deleted when re-auth is done), it then generates a 2nd CHILD_SA
{3} when it had {8} already?

##### syslog below ######

charon: 14[IKE] reauthenticating IKE_SA server1[1]
charon: 14[IKE] deleting IKE_SA server1[1] between
1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
charon: 14[IKE] sending DELETE for IKE_SA server1[1]
charon: 14[ENC] generating INFORMATIONAL request 150 [ D ]
charon: 14[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80
bytes)
charon: 10[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80
bytes)
charon: 10[ENC] parsed INFORMATIONAL response 150 [ ]
charon: 10[IKE] IKE_SA deleted
charon: 10[IKE] restarting CHILD_SA server1
charon: 10[IKE] initiating IKE_SA server1[12] to 2.2.2.2
charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
charon: 10[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (560
bytes)
charon: 03[KNL] creating acquire job for policy 10.220.0.53/32[gre] ===
10.220.0.54/32[gre] with reqid {3}
charon: 15[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (568
bytes)
charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
charon: 15[CFG] no IDi configured, fall back on IP address
charon: 15[IKE] authentication of '1.1.1.1' (myself) with pre-shared key
charon: 15[IKE] establishing CHILD_SA server1
charon: 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr
AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
charon: 15[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (320
bytes)
charon: 11[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (256
bytes)
charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
charon: 11[IKE] authentication of '2.2.2.2' with pre-shared key successful
charon: 11[IKE] IKE_SA server1[12] established between
1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
charon: 11[IKE] scheduling reauthentication in 10176s
charon: 11[IKE] maximum IKE_SA lifetime 10716s
charon: 11[IKE] CHILD_SA server1{8} established with SPIs c5de30e9_i
c83d99c0_o and TS 10.220.0.53/32 === 10.220.0.54/32
charon: 11[IKE] received AUTH_LIFETIME of 10194s, scheduling
reauthentication in 9654s
charon: 11[IKE] peer supports MOBIKE
charon: 11[IKE] establishing CHILD_SA server1{3}
charon: 11[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
charon: 11[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (624
bytes)
charon: 09[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (592
bytes)
charon: 09[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
charon: 09[IKE] CHILD_SA server1{3} established with SPIs c5305aff_i
ca8e128e_o and TS 10.220.0.53/32 === 10.220.0.54/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130802/e08d5363/attachment.html>