[strongSwan] Multiple Tunnel with Single IKE SA

Pavan Maganti pavansanjay at gmail.com
Thu Feb 5 06:53:03 CET 2015 

Hi Noel,

The issue mentioned here is with duplicate SA. Sometimes when we try create
512 tunnels we are encountering this issue. 1 or 2 IKE tunnels are having
duplicate child SA's. How to avoid this? Is there any fix available in the
latest release?

Regards,
Pavan

On Wed, Feb 4, 2015 at 1:29 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Sriram,
>
> Please try using "uniqueids=yes".
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 02.02.2015 um 09:45 schrieb Sriram Raghunathan:
> >
> > Hi,
> >
> >     Reference: Strongswan version 4.5.3.
> >
> >     Currently, I'm debugging a problem with the above version of
> >     strongswan software installed on some of the hardwares and the
> >     security gateway.
> >
> >     The problem is, I see
> >     "multiple tunnel's being established for a single ike sa". Somehow
> >     feel its a race condition in the strongswan code. The problem is
> >     seen when trying to establish close to 200 tunnels. Below is the
> >     config I'm trying with. Could you please help me out here?
> >
> > The problem seen here below:
> >
> >       conn12[262]: ESTABLISHED 8 minutes ago,
> 172.16.11.7[172.16.11.7]...172.16.11.61[172.16.11.61]
> >       conn12[262]: IKE SPIs: 61eebfcfbde117bf_i 6939a8f12fc12e91_r*,
> rekeying in 95 minutes
> >       conn12[262]: IKE proposal:
> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >
> -----------------------------------------------------------------------------------------------------
> >       conn12{245}:  INSTALLED, TUNNEL, ESP SPIs: cfdad3fe_i cfc7aea7_o
> >       conn12{245}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 38 minutes
> >       conn12{245}:   172.16.11.7/32 === 172.100.7.0/24
> >       conn12{250}:  INSTALLED, TUNNEL, ESP SPIs: ca3fc3e2_i c4be685b_o
> >       conn12{250}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 42 minutes
> >       conn12{250}:   172.16.11.7/32 === 172.100.7.0/24
> >
> -----------------------------------------------------------------------------------------------------
> >
> > config setup
> >   plutostart=no
> >   plutodebug=none
> >   nat_traversal=yes
> >   uniqueids=no
> >   charonstart=yes
> >   charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0,
> enc -1, lib -1"
> >
> > conn %default
> >   pfs=no
> >   installpolicy=yes
> >   keyingtries=%forever
> >   mobike=no
> >
> > ------ truncated --------------
> > conn conn12
> >   type=tunnel
> >   leftsubnet=172.16.11.7/32
> >   rightsubnet=172.100.7.0/24
> >   left=172.16.11.7
> >   right=172.16.11.61
> >   auto=start
> >   keyexchange=ikev2
> >   authby=psk
> >   reauth=no
> >   ike=3des-sha1-modp1024!
> >   ikelifetime=7200
> >   pfs=no
> >   esp=3des-sha1-noesn!
> >   keylife=3600
> >   dpdaction=clear
> >   dpddelay=10
> >   leftprotoport=0
> >   rightprotoport=0
> >   rekeyfuzz=100%
> >   rekeymargin=540s
> > ------ truncated --------------
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJU0SiMAAoJEDg5KY9j7GZYpCYQAI9X/qrvKp9TMNa1Pw5CD47H
> O86Y9Ya3Qqaz/ISAX8eG3V7OeMp828zYmAwww5L+KCo73hUqzznrpJNZBhOR1bu8
> IDg/Lew/Yi6c0wWHS3fFL8xUNHlzKDElycR6Yylhm5t/qBti1Foc3iAFm/ifKgKb
> EzNSbKDCR2qKh1tMtr0Ae65RsaP+SiRf97uyDeqhy6CNF+EnkyLHOrUfYtB9ckw6
> /sYHB0jN/LaVhvdRksLHfqzNB3gNOH7BxQJvcL3+rYI9vUcrjJhhnHGyfXimaYXI
> vkoNoq+qoHGY7+quBXuE6dv/w/Aq34OeOtovyQSXIqup3RJ/MPDBXjr+r8tY+02V
> Vf127X6HaLMtRsfzlqWnoX/c+aK4iARg5BB0uAn1IT1dHEFokS2dKboynZ+Q5Orv
> gyegfpf1mJKzBbV1GCJsS0yRgOD9U9qrE6drOmBKQOQi/3XqZEvOV4nyMsbei/3M
> jqPIw8JCY5d/YKscHIofn61p1Zfkjc2/40c4JJZY5rnpSt662A5y1SBlcru3Dl8R
> 7yWdPvmbxv3DeGqrUevDTivRaRpYDTVUprVxLsfrJ6s6vjcP7ukMgcwQb86d1KYl
> LG/RKav21KuXp1gQZYbC8TsEnr2iWqhsuRPOtchlfEbOEErCY5YvMrNSMaNUN8Hc
> tU9zw3hHeA3hPFzYBeqO
> =35jM
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150205/be9e5abd/attachment.html>

More information about the Users mailing list