[strongSwan] Strongswan-IKEv2/Charon fails to start with "ipsec.conf" file having multiple child-sa/phase-2 connection entries (for 2 to 500 tunnels)

anand rao anandrao_me at yahoo.co.in
Sun Jun 2 18:39:33 CEST 2013


Hi,


I am using Strongswan 4.6.4 version.

I am trying to test strongswan with multiple connection entries configured in ipsec.conf.
In my test Strongswan-IKEv2/Charon-daemon fails to start (or kills itself after attempting to start)
when trying to load a "ipsec.conf" file with multiple child-sa/phase-2 connection entries (for 2/50/100/200/500 tunnels).
The charon-daemon (strongswan-ikev2) is killing/stopping itself after trying to start.
 There are errors observed in logread like below.

May 31 14:09:00 OpenWrt daemon.info charon: 11[KNL] unable to add policy: File exists (17)
May 31 14:09:00 OpenWrt daemon.info charon: 11[KNL] unable to add policy 192.168.2.0/24[udp/29000] === 192.168.1.0/24[udp/19000] fwd
May 31 14:09:00 OpenWrt authpriv.warn ipsec_starter[2044]: charon has died -- restart scheduled (5sec)
May 31 14:09:00 OpenWrt authpriv.warn ipsec_starter[2044]: connect(charon_ctl) failed: Connection refused
May 31 14:09:05 OpenWrt daemon.info charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL] listening on interfaces:
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]   eth1
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     169.254.0.1
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     fe80::2aa:bbff:fecc:ddee
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]   eth0
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     10.1.161.253
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     2000:1001::1
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     fe80::2ed:cdff:feef:aacc
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]   eth2
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     192.168.1.1
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     2000:2001::1
May 31 14:09:05 OpenWrt daemon.info charon: 00[KNL]     fe80::22a:2bff:fe2c:2d2e
May 31 14:09:05 OpenWrt daemon.info charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 31 14:09:05 OpenWrt daemon.info charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 31 14:09:05 OpenWrt daemon.info charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 31 14:09:05 OpenWrt daemon.info charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 31 14:09:05 OpenWrt daemon.info charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 31 14:09:05 OpenWrt daemon.info charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 31 14:09:05 OpenWrt daemon.info charon: 00[CFG]   loaded IKE secret for 1.1.1.1 1.1.1.2
May 31 14:09:05 OpenWrt daemon.info charon: 00[DMN] loaded plugins: aes des blowfish sha1 sha2 md5 random x509 pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-pfkey kernel-netlink socket-raw stroke updown
May 31 14:09:05 OpenWrt daemon.info charon: 00[JOB] spawning 16 worker threads
May 31 14:09:05 OpenWrt authpriv.warn ipsec_starter[2044]: charon (3672) started after 40 ms
May 31 14:09:05 OpenWrt daemon.info charon: 09[CFG] received stroke: add connection 'tunnel1'
May 31 14:09:05 OpenWrt daemon.info charon: 09[CFG] left nor right host is our side, assuming left=local
May 31 14:09:05 OpenWrt daemon.info charon: 09[CFG] added configuration 'tunnel1'
May 31 14:09:05 OpenWrt daemon.info charon: 11[CFG] received stroke: route 'tunnel1'
May 31 14:09:05 OpenWrt daemon.info charon: 11[KNL] unable to add policy: File exists (17)
May 31 14:09:05 OpenWrt daemon.info charon: 11[KNL] unable to add policy 192.168.1.0/24[udp/19000] === 192.168.2.0/24[udp/29000] out
May 31 14:09:05 OpenWrt daemon.info charon: 11[KNL] unable to add policy: File exists (17)
May 31 14:09:05 OpenWrt daemon.info charon: 11[KNL] unable to add policy 192.168.2.0/24[udp/29000] === 192.168.1.0/24[udp/19000] in
May 31 14:09:05 OpenWrt daemon.info charon: 11[KNL] unable to add policy: File exists (17)
May 31 14:09:05 OpenWrt daemon.info charon: 11[KNL] unable to add policy 192.168.2.0/24[udp/29000] === 192.168.1.0/24[udp/19000] fwd
May 31 14:09:06 OpenWrt authpriv.warn ipsec_starter[2044]: connect(charon_ctl) failed: Connection refused
May 31 14:09:06 OpenWrt authpriv.warn ipsec_starter[2044]: connect(charon_ctl) failed: Connection refused
May 31 14:09:06 OpenWrt authpriv.warn ipsec_starter[2044]: connect(charon_ctl) failed: Connection refused
May 31 14:09:06 OpenWrt authpriv.warn ipsec_starter[2044]: connect(charon_ctl) failed: Connection refused
May 31 14:09:06 OpenWrt authpriv.warn ipsec_starter[2044]: connect(charon_ctl) failed: Connection refused
May 31 14:09:06 OpenWrt authpriv.warn ipsec_starter[2044]: connect(charon_ctl) failed: Connection refused
---------------------------------------------------------------------------------------------------------------------------------------------------------------

Please help in understanding why this is happening when the same configuration loads correctly when configured with IKEv1.

Attached are the ipsec.conf, ipsec.secrets, strongswan.conf files used for testing.

Thanks,
Anand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan_config_files.zip
Type: application/octet-stream
Size: 5175 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130603/61d9e5af/attachment.obj>


More information about the Users mailing list