[strongSwan] Keeps adding tunnels

[Peter Osterberg]

Hello

I've a problem where Storngswan seem to add more and more tunnels for my
connection and I can't figure out why.

I am connecting two sites, one host running Debian Squeeze and the other
Xubuntu 13.10.

I found someone else having this problem and someone suggested that it
could have something to do with *buntus init scripts so I disabled those
on both ends.

I have manually started the daemon with*ipsec start* on both ends. I
have then added the connection with *ipsec up tunnelname*.

This works just fine and it gives me one tunnel if I check with *ipsec
status*. I do how ever after half an hour or so get more and more active
tunnels, and it gets unresponsive.

I have then tried to end the connection with *ipsec down tunnelname*. It
does however not go down, it keeps all the active connections but the
tunnel starts to funciton again. This is something I have to do every 15
minutes or so, quite annoying. =)

I can't figure out what it is that is going on. Why does Strongswan add
all those extra connections?

Regards,
Peter

Left side:

# basic configuration

config setup
        strictcrlpolicy=no
        charonstart=yes
        plutostart=no

# Add connections here.
conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=1
     keyexchange=ikev2
     mobike=yes

conn tunnelname
     left=x.y.z.q
     leftcert=firstCert.pem
     leftsubnet=10.100.0.0/16
     leftid=@my.first.domainname
     leftfirewall=yes
     right=q.z.y.x
     rightsubnet=10.101.0.0/16
     rightid=@my.second.doaimname
     rightcert=/etc/ipsec.d/certs/secondCert.pem
     rightsendcert=never
     auto=add

include /var/lib/strongswan/ipsec.conf.inc


Right side:

# basic configuration

config setup
        strictcrlpolicy=no
        charonstart=yes
        plutostart=no

# Add connections here.
conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=1
     keyexchange=ikev2
     mobike=yes

conn tunnelname
     left=q.z.y.x
     leftcert=secondCert.pem
     leftsubnet=10.101.0.0/16
     leftid=@my.second.domainname
     right=x.y.z.q
     rightsubnet=10.100.0.0/16
     rightid=@my.first.domainname
     rightcert=/etc/ipsec.d/certs/firstCert.pem
     rightsendcert=never
     auto=add

include /var/lib/strongswan/ipsec.conf.inc


Just started tunnel

poe at first:~$ sudo ipsec status
Security Associations:
tunnelname[1]: ESTABLISHED 3 seconds ago, x.y.z.q[my.first.domainname]...q.z.y.x[my.second.domainname]
tunnelname{1}:  INSTALLED, TUNNEL, ESP SPIs: c2e79cb7_i cfb3172a_o
tunnelname{1}:   10.100.0.0/16 === 10.101.0.0/16

After about few hours (44 minutes is not correct)

poe at first:~$ sudo ipsec status
Security Associations:
tunnelname0[5]: ESTABLISHED 44 minutes ago, x.y.z.q[my.first.domainname]...q.z.y.x[my.second.domainname]
tunnelname{5}:  INSTALLED, TUNNEL, ESP SPIs: c0480a2e_i cde1013d_o
tunnelname{5}:   10.100.0.0/16 === 10.101.0.0/16
tunnelname{5}:  INSTALLED, TUNNEL, ESP SPIs: cd002eb9_i c0990b03_o
tunnelname{5}:   10.100.0.0/16 === 10.101.0.0/16
tunnelname{5}:  INSTALLED, TUNNEL, ESP SPIs: c4fdb6b8_i ca6c70d3_o
tunnelname{5}:   10.100.0.0/16 === 10.101.0.0/16
tunnelname{6}:  INSTALLED, TUNNEL, ESP SPIs: c5c0bd22_i c1d1fe31_o
tunnelname{6}:   10.100.0.0/16 === 10.101.0.0/16


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140416/12bc90cb/attachment.html>