[strongSwan] INITIAL_CONTACT notify issue

yordanos beyene yordanosb at gmail.com
Thu Sep 19 03:00:06 CEST 2013

Hi SS team,

I am sending INITIAL_CONTACT notify  message to get a new IKE_SA replace an
old IKE_SA which uses the same ID (leftid).  I am using uniqueness policy
of  "replace" to achieve this but it does not always delete old IKE_SA that
uses the same ID as new IKE_SA.

The old IKE_SA got deleted when the new and old IKE_SA use the same leftid
and rightid. The old IKE_SA did not get deleted when rightid is different.
Below I included ipsec statusall output from remote vpn host where IKE_SA
did not get deleted.

Is this a bug and any fixes? I appreciate any clarification.  I am using
strongswan 5.0.1

Note: new IKE_SA suceeded and old IKE_SA is not deleted after new
connection that matches conn2 appears with same leftid but with different
rightid as old IKE_SA that match conn1.
   conn1:  IKEv1
   conn1:   local:  [id2.com] uses pre-shared key authentication
   conn1:   remote: [id1.com] uses pre-shared key authentication
   conn1:   child: === TUNNEL
   conn2:  IKEv1
   conn2:   local:  [id3.com] uses pre-shared key authentication
   conn2:   remote: [id1.com] uses pre-shared key authentication
   conn2:   child: === TUNNEL
Routed Connections:
   conn1{1}:  ROUTED, TUNNEL
   conn1{1}: ===
   conn2{2}:  ROUTED, TUNNEL
   conn2{2}: ===
Security Associations (2 up, 0 connecting):
   conn2[2]: ESTABLISHED 12 seconds ago,[id3.com]...[
   conn2[2]: IKEv1 SPIs: d060015f5f9d4cb1_i 2c3838041993b109_r*, rekeying
in 23 hours
   conn2[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
   conn2{4}:  INSTALLED, TUNNEL, ESP SPIs: cc189c07_i ca5aad79_o
   conn2{4}:  AES_CBC_128/HMAC_SHA1_96, 252 bytes_i (9s ago), 252 bytes_o
(9s ago), rekeying in 53 minutes
   conn2{4}: ===
   conn1[1]: ESTABLISHED 21 seconds ago,[id2.com]...[
   conn1[1]: IKEv1 SPIs: 73801375ea2795e6_i f3a4709574c6d890_r*, rekeying
in 23 hours
   conn1[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
   conn1{3}:  INSTALLED, TUNNEL, ESP SPIs: cb6b690d_i cfcad16e_o
   conn1{3}:  3DES_CBC/HMAC_SHA1_96, 252 bytes_i (18s ago), 252 bytes_o
(18s ago), rekeying in 47 minutes
   conn1{3}: ===
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/70bf6544/attachment.html>

More information about the Users mailing list