[strongSwan] INITIAL_CONTACT notify issue

yordanos beyene yordanosb at gmail.com
Thu Sep 19 03:00:06 CEST 2013 

Hi SS team,

I am sending INITIAL_CONTACT notify  message to get a new IKE_SA replace an
old IKE_SA which uses the same ID (leftid).  I am using uniqueness policy
of  "replace" to achieve this but it does not always delete old IKE_SA that
uses the same ID as new IKE_SA.

The old IKE_SA got deleted when the new and old IKE_SA use the same leftid
and rightid. The old IKE_SA did not get deleted when rightid is different.
Below I included ipsec statusall output from remote vpn host where IKE_SA
did not get deleted.

Is this a bug and any fixes? I appreciate any clarification.  I am using
strongswan 5.0.1

Note: new IKE_SA suceeded and old IKE_SA is not deleted after new
connection that matches conn2 appears with same leftid but with different
rightid as old IKE_SA that match conn1.
connections:
   conn1:  172.16.20.5...172.16.20.4  IKEv1
   conn1:   local:  [id2.com] uses pre-shared key authentication
   conn1:   remote: [id1.com] uses pre-shared key authentication
   conn1:   child:  172.16.40.10/32 === 172.16.50.10/32 TUNNEL
   conn2:  172.16.30.5...172.16.30.4  IKEv1
   conn2:   local:  [id3.com] uses pre-shared key authentication
   conn2:   remote: [id1.com] uses pre-shared key authentication
   conn2:   child:  172.16.60.10/32 === 172.16.70.10/32 TUNNEL
Routed Connections:
   conn1{1}:  ROUTED, TUNNEL
   conn1{1}:   172.16.40.10/32 === 172.16.50.10/32
   conn2{2}:  ROUTED, TUNNEL
   conn2{2}:   172.16.60.10/32 === 172.16.70.10/32
Security Associations (2 up, 0 connecting):
   conn2[2]: ESTABLISHED 12 seconds ago, 172.16.30.5[id3.com]...172.16.30.4[
*id1.com*]
   conn2[2]: IKEv1 SPIs: d060015f5f9d4cb1_i 2c3838041993b109_r*, rekeying
in 23 hours
   conn2[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
   conn2{4}:  INSTALLED, TUNNEL, ESP SPIs: cc189c07_i ca5aad79_o
   conn2{4}:  AES_CBC_128/HMAC_SHA1_96, 252 bytes_i (9s ago), 252 bytes_o
(9s ago), rekeying in 53 minutes
   conn2{4}:   172.16.60.10/32 === 172.16.70.10/32
   conn1[1]: ESTABLISHED 21 seconds ago, 172.16.20.5[id2.com]...172.16.20.4[
*id1.com*]
   conn1[1]: IKEv1 SPIs: 73801375ea2795e6_i f3a4709574c6d890_r*, rekeying
in 23 hours
   conn1[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
   conn1{3}:  INSTALLED, TUNNEL, ESP SPIs: cb6b690d_i cfcad16e_o
   conn1{3}:  3DES_CBC/HMAC_SHA1_96, 252 bytes_i (18s ago), 252 bytes_o
(18s ago), rekeying in 47 minutes
   conn1{3}:   172.16.40.10/32 === 172.16.50.10/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/70bf6544/attachment.html>

More information about the Users mailing list