[strongSwan] Multiple Tunnel with Single IKE SA

Sriram Raghunathan sriram.r at nsn.com
Mon Feb 2 09:45:52 CET 2015 

Hi, 

    Reference: Strongswan version 4.5.3.

    Currently, I'm debugging a problem with the above version of
    strongswan software installed on some of the hardwares and the
    security gateway. 

    The problem is, I see 
    "multiple tunnel's being established for a single ike sa". Somehow
    feel its a race condition in the strongswan code. The problem is
    seen when trying to establish close to 200 tunnels. Below is the
    config I'm trying with. Could you please help me out here? 

The problem seen here below:

      conn12[262]: ESTABLISHED 8 minutes ago, 172.16.11.7[172.16.11.7]...172.16.11.61[172.16.11.61]
      conn12[262]: IKE SPIs: 61eebfcfbde117bf_i 6939a8f12fc12e91_r*, rekeying in 95 minutes
      conn12[262]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
-----------------------------------------------------------------------------------------------------
      conn12{245}:  INSTALLED, TUNNEL, ESP SPIs: cfdad3fe_i cfc7aea7_o
      conn12{245}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
      conn12{245}:   172.16.11.7/32 === 172.100.7.0/24 
      conn12{250}:  INSTALLED, TUNNEL, ESP SPIs: ca3fc3e2_i c4be685b_o
      conn12{250}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
      conn12{250}:   172.16.11.7/32 === 172.100.7.0/24 
-----------------------------------------------------------------------------------------------------

config setup 
  plutostart=no
  plutodebug=none 
  nat_traversal=yes 
  uniqueids=no 
  charonstart=yes 
  charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1" 

conn %default 
  pfs=no 
  installpolicy=yes 
  keyingtries=%forever 
  mobike=no 

------ truncated --------------
conn conn12
  type=tunnel 
  leftsubnet=172.16.11.7/32
  rightsubnet=172.100.7.0/24
  left=172.16.11.7
  right=172.16.11.61
  auto=start 
  keyexchange=ikev2 
  authby=psk 
  reauth=no 
  ike=3des-sha1-modp1024!
  ikelifetime=7200
  pfs=no 
  esp=3des-sha1-noesn!
  keylife=3600
  dpdaction=clear 
  dpddelay=10
  leftprotoport=0
  rightprotoport=0
  rekeyfuzz=100% 
  rekeymargin=540s 
------ truncated --------------

-- 
Sriram
Justice, n.:
	A decision in your favor.

More information about the Users mailing list