[strongSwan] a question with theIPsec tunnel established
梅香
747201427 at qq.com
Fri Feb 22 10:27:49 CET 2013
======= ========= ========
| AP | <====================> | router|<====================> | GW |
======= ========= ========
First all, CHILD_SA fap-psk is established between AP and GW. And the GW show me such message:
******************************************************
Jan 31 19:44:47 (none) daemon.info charon: 78[IKE] CHILD_SA fap-psk{3} established with SPIs ca0b653f_i c1c43dbb_o and TS 10.1.0.0/16 172.16.15.0/24 === 10.23.100.1/32
Jan 31 19:44:47 (none) authpriv.info charon: 78[IKE] CHILD_SA fap-psk{3} established with SPIs ca0b653f_i c1c43dbb_o and TS 10.1.0.0/16 172.16.15.0/24 === 10.23.100.1/32
******************************************************
Then, I let the AP restart. I found the IPsec tunnel could not be established as usual. And I check the message of GW:
******************************************************
Jan 31 19:49:18 (none) daemon.info charon: 130[KNL] unable to add SAD entry with SPI c1c43dbb: File exists (17)
Jan 31 19:49:18 (none) daemon.info charon: 130[IKE] unable to install outbound IPsec SA (SAD) in kernel
******************************************************
The SPI c1c43dbb is the same with last time.
But a minute later, the AP send init packet for IPsec again. This time, they can establish IPsec tunnel with another SPI.
And my questions are:
1, After being restarted, is the AP sending the same SPI allowed?
2,Why they could not establish IPsec tunnel with the same SPI?
3, can they not establish IPsec tunnel all the time, If the AP always send the same SPI to GW ? How to avoid this situation?
More information about the Users
mailing list