[strongSwan] Multiple Tunnel with Single IKE SA

Noel Kuntze noel at familie-kuntze.de
Tue Feb 3 20:59:08 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Sriram,

Please try using "uniqueids=yes".

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 02.02.2015 um 09:45 schrieb Sriram Raghunathan:
>
> Hi,
>
>     Reference: Strongswan version 4.5.3.
>
>     Currently, I'm debugging a problem with the above version of
>     strongswan software installed on some of the hardwares and the
>     security gateway.
>
>     The problem is, I see
>     "multiple tunnel's being established for a single ike sa". Somehow
>     feel its a race condition in the strongswan code. The problem is
>     seen when trying to establish close to 200 tunnels. Below is the
>     config I'm trying with. Could you please help me out here?
>
> The problem seen here below:
>
>       conn12[262]: ESTABLISHED 8 minutes ago, 172.16.11.7[172.16.11.7]...172.16.11.61[172.16.11.61]
>       conn12[262]: IKE SPIs: 61eebfcfbde117bf_i 6939a8f12fc12e91_r*, rekeying in 95 minutes
>       conn12[262]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> -----------------------------------------------------------------------------------------------------
>       conn12{245}:  INSTALLED, TUNNEL, ESP SPIs: cfdad3fe_i cfc7aea7_o
>       conn12{245}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
>       conn12{245}:   172.16.11.7/32 === 172.100.7.0/24
>       conn12{250}:  INSTALLED, TUNNEL, ESP SPIs: ca3fc3e2_i c4be685b_o
>       conn12{250}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
>       conn12{250}:   172.16.11.7/32 === 172.100.7.0/24
> -----------------------------------------------------------------------------------------------------
>
> config setup
>   plutostart=no
>   plutodebug=none
>   nat_traversal=yes
>   uniqueids=no
>   charonstart=yes
>   charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1"
>
> conn %default
>   pfs=no
>   installpolicy=yes
>   keyingtries=%forever
>   mobike=no
>
> ------ truncated --------------
> conn conn12
>   type=tunnel
>   leftsubnet=172.16.11.7/32
>   rightsubnet=172.100.7.0/24
>   left=172.16.11.7
>   right=172.16.11.61
>   auto=start
>   keyexchange=ikev2
>   authby=psk
>   reauth=no
>   ike=3des-sha1-modp1024!
>   ikelifetime=7200
>   pfs=no
>   esp=3des-sha1-noesn!
>   keylife=3600
>   dpdaction=clear
>   dpddelay=10
>   leftprotoport=0
>   rightprotoport=0
>   rekeyfuzz=100%
>   rekeymargin=540s
> ------ truncated --------------
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU0SiMAAoJEDg5KY9j7GZYpCYQAI9X/qrvKp9TMNa1Pw5CD47H
O86Y9Ya3Qqaz/ISAX8eG3V7OeMp828zYmAwww5L+KCo73hUqzznrpJNZBhOR1bu8
IDg/Lew/Yi6c0wWHS3fFL8xUNHlzKDElycR6Yylhm5t/qBti1Foc3iAFm/ifKgKb
EzNSbKDCR2qKh1tMtr0Ae65RsaP+SiRf97uyDeqhy6CNF+EnkyLHOrUfYtB9ckw6
/sYHB0jN/LaVhvdRksLHfqzNB3gNOH7BxQJvcL3+rYI9vUcrjJhhnHGyfXimaYXI
vkoNoq+qoHGY7+quBXuE6dv/w/Aq34OeOtovyQSXIqup3RJ/MPDBXjr+r8tY+02V
Vf127X6HaLMtRsfzlqWnoX/c+aK4iARg5BB0uAn1IT1dHEFokS2dKboynZ+Q5Orv
gyegfpf1mJKzBbV1GCJsS0yRgOD9U9qrE6drOmBKQOQi/3XqZEvOV4nyMsbei/3M
jqPIw8JCY5d/YKscHIofn61p1Zfkjc2/40c4JJZY5rnpSt662A5y1SBlcru3Dl8R
7yWdPvmbxv3DeGqrUevDTivRaRpYDTVUprVxLsfrJ6s6vjcP7ukMgcwQb86d1KYl
LG/RKav21KuXp1gQZYbC8TsEnr2iWqhsuRPOtchlfEbOEErCY5YvMrNSMaNUN8Hc
tU9zw3hHeA3hPFzYBeqO
=35jM
-----END PGP SIGNATURE-----




More information about the Users mailing list