[strongSwan] Multiple Tunnel with Single IKE SA

Noel Kuntze noel at familie-kuntze.de
Thu Feb 5 18:59:11 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Pavan,

As I mentioned in the last email to Siram, the kernel should actively reject
installation of duplicate policies. It probably does that or replaces the old ones.
I did not encounter this behaviour with any of the versions I used (5.x series).
I advise trying a newer version like 5.2.1 or 5.2.2.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 05.02.2015 um 06:53 schrieb Pavan Maganti:
> Hi Noel,
>
> The issue mentioned here is with duplicate SA. Sometimes when we try create 512 tunnels we are encountering this issue. 1 or 2 IKE tunnels are having duplicate child SA's. How to avoid this? Is there any fix available in the latest release?
>
> Regards,
> Pavan
>
> On Wed, Feb 4, 2015 at 1:29 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Sriram,
>
> Please try using "uniqueids=yes".
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 02.02.2015 um 09:45 schrieb Sriram Raghunathan:
>
> > Hi,
>
> >     Reference: Strongswan version 4.5.3.
>
> >     Currently, I'm debugging a problem with the above version of
> >     strongswan software installed on some of the hardwares and the
> >     security gateway.
>
> >     The problem is, I see
> >     "multiple tunnel's being established for a single ike sa". Somehow
> >     feel its a race condition in the strongswan code. The problem is
> >     seen when trying to establish close to 200 tunnels. Below is the
> >     config I'm trying with. Could you please help me out here?
>
> > The problem seen here below:
>
> >       conn12[262]: ESTABLISHED 8 minutes ago, 172.16.11.7[172.16.11.7]...172.16.11.61[172.16.11.61]
> >       conn12[262]: IKE SPIs: 61eebfcfbde117bf_i 6939a8f12fc12e91_r*, rekeying in 95 minutes
> >       conn12[262]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> > -----------------------------------------------------------------------------------------------------
> >       conn12{245}:  INSTALLED, TUNNEL, ESP SPIs: cfdad3fe_i cfc7aea7_o
> >       conn12{245}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
> >       conn12{245}:   172.16.11.7/32 <http://172.16.11.7/32> === 172.100.7.0/24 <http://172.100.7.0/24>
> >       conn12{250}:  INSTALLED, TUNNEL, ESP SPIs: ca3fc3e2_i c4be685b_o
> >       conn12{250}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
> >       conn12{250}:   172.16.11.7/32 <http://172.16.11.7/32> === 172.100.7.0/24 <http://172.100.7.0/24>
> > -----------------------------------------------------------------------------------------------------
>
> > config setup
> >   plutostart=no
> >   plutodebug=none
> >   nat_traversal=yes
> >   uniqueids=no
> >   charonstart=yes
> >   charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1"
>
> > conn %default
> >   pfs=no
> >   installpolicy=yes
> >   keyingtries=%forever
> >   mobike=no
>
> > ------ truncated --------------
> > conn conn12
> >   type=tunnel
> >   leftsubnet=172.16.11.7/32 <http://172.16.11.7/32>
> >   rightsubnet=172.100.7.0/24 <http://172.100.7.0/24>
> >   left=172.16.11.7
> >   right=172.16.11.61
> >   auto=start
> >   keyexchange=ikev2
> >   authby=psk
> >   reauth=no
> >   ike=3des-sha1-modp1024!
> >   ikelifetime=7200
> >   pfs=no
> >   esp=3des-sha1-noesn!
> >   keylife=3600
> >   dpdaction=clear
> >   dpddelay=10
> >   leftprotoport=0
> >   rightprotoport=0
> >   rekeyfuzz=100%
> >   rekeymargin=540s
> > ------ truncated --------------
>
>
>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     https://lists.strongswan.org/mailman/listinfo/users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU069tAAoJEDg5KY9j7GZYwwoP/jLdVE+G9YIHwsizJWa5Ee9T
KftkqAkjJ8aKEJdQfOQlV2QQcr3lB3hdjj+NIQ8qmcNCLit4W3rZVrdDqPTLPfZG
fGyhvqGXhtPXb0iyvosJbEo+XXZceCcLcycZqxBivw8ESyP3DQ7vq8NJ4Sf3ScYj
QM9kHuY/eDY786iFxVy+SJcTjkImdptKGaihrNJZP/h7lGzh+FN6U0kHw/WJDoPC
g3exdoLBTvlCWq07G+XHtqETVbnTkECXzy/Vi56YSXBvbG8qqNH9PQi/8qZO27X5
IeiH5YFiKhjuE3gVHt+gX45Zb74PiG8fXpLItNoH19s4dV7hl4wn0TxM6GeGJOHN
+PORLvD0pEDwnXCCcgf+ZIkc8Vqu+as9OQRCLCGBofBYXpDkJ4B1csOEy+uK4PmV
g91osI0Sglt8YPJf0TRAmFORkgzGat9gahvYsgQGi646h60FeKDPIYdB9oJ338Ac
T/bYS7e6KmyArbAXJURKn6Q0PVmTL7D6rPCzmyM7iXnMPD9P/CktQXE0fmyNjWkO
pjcmdIVBjvOxGPZTxaYJczSjCeOYwErwzHvU0B2q8GxRvRs6cYQ55vFuHpQE5ks1
9nwtknO7wRsdDqc+EzDWr7ha6GCJAFdkT8+YEh4IY9j34BqsSc/yqZeDEiMCTfWD
eEFjkMdebP+JS2ZTp1HW
=Mdi2
-----END PGP SIGNATURE-----

More information about the Users mailing list