[strongSwan] Multiple Child_SAs created and which is created first is installed and traffic drop is seen

अनुज anuj01 at gmail.com
Mon Oct 14 13:06:59 CEST 2013 

Hi,

I am using StrongSwan version 4.5.3 9 (IKEv2) and Checkpoint security
gateway as a peer. Both sides are configured as initiators. As IKE exchange
is happened simultaneously at both sides so multiple IKE SAs and
corresponding Child_SAs are created for a single policy- [3]{2} and [6]{5}.

As per my understanding the Child_SA [6]{5} which is created last should be
installed. But that's not happened.

2013-10-11T07:18:40.065657+00:00 (none) [info]      charon:  15[IKE] IKE_SA
conn22[3] established between 192.168.239.53[CN=XYZ,
O=XYZ]...192.168.9.20[XYZ]
2013-10-11T07:18:40.065791+00:00 (none) [info]      charon:  15[IKE] IKE_SA
conn22[3] established between 192.168.239.53[CN=XYZ,
O=XYZ]...192.168.9.20[XYZ]
2013-10-11T07:18:40.975728+00:00 (none) [info]      charon:  09[IKE] IKE_SA
conn22[6] established between 192.168.239.53[CN=XYZ,
O=XYZ]...192.168.9.20[10.44.36.110]
2013-10-11T07:18:40.975774+00:00 (none) [info]      charon:  09[IKE] IKE_SA
conn22[6] established between 192.168.239.53[CN=XYZ,
O=XYZ]...192.168.9.20[10.44.36.110]
2013-10-11T07:18:40.980582+00:00 (none) [info]      pluto[24080]:  loading
ca certificates from '/etc/ipsec.d/cacerts'
2013-10-11T07:18:40.981972+00:00 (none) [info]      charon:  15[IKE]
CHILD_SA conn22{2} established with SPIs cd53557f_i 29c29aa0_o and TS
10.46.155.53/32 === 0.0.0.0/0
2013-10-11T07:18:40.982012+00:00 (none) [info]      charon:  15[IKE]
CHILD_SA conn22{2} established with SPIs cd53557f_i 29c29aa0_o and TS
10.46.155.53/32 === 0.0.0.0/0
2013-10-11T07:18:40.983937+00:00 (none) [info]      charon:  09[IKE]
CHILD_SA conn22{5} established with SPIs c2942838_i 7b35b9ab_o and TS
10.46.155.53/32 === 0.0.0.0/0
2013-10-11T07:18:40.984042+00:00 (none) [info]      charon:  09[IKE]
CHILD_SA conn22{5} established with SPIs c2942838_i 7b35b9ab_o and TS
10.46.155.53/32 === 0.0.0.0/0


>From 'ip x p', we can see strongSwan has installed the Child_SA {2} instead
of Child_SA {5}:

 src 0.0.0.0/0 dst 10.46.155.53/32
         dir fwd priority 22
         tmpl src 192.168.9.20 dst 192.168.239.53
                 proto esp reqid 5 mode tunnel
 src 0.0.0.0/0 dst 10.46.155.53/32
         dir in priority 22
         tmpl src 192.168.9.20 dst 192.168.239.53
                 proto esp reqid 2 mode tunnel
 src 10.46.155.53/32 dst 0.0.0.0/0
         dir out priority 22
         tmpl src 192.168.239.53 dst 192.168.9.20
                 proto esp reqid 2 mode tunnel


While checkpoint is using SPI from latest Child_SA {5} and traffic drop is
seen. Can somebody please point why it happened?

-- 
Anuj Aggarwal

 .''`.
: :Ⓐ :   # apt-get install hakuna-matata
`. `'`
   `-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131014/813ba6b4/attachment.html>

More information about the Users mailing list