[strongSwan] Multiple Child SA after only 14 minutes

Noel Kuntze noel at familie-kuntze.de
Mon Feb 9 19:22:30 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tom,

That looks like a problem on either of the peers involved.

Please post your config, what software the other side uses, a log, preferrably showing the full tunnel setup and the
messages that show the creation of those duplicate SAs, as well as the output of "ipsec statusall".

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 09.02.2015 um 19:11 schrieb Tom Rymes:
> I am having some connectivity issues and I am not certain if this is a symptom or the cause. On one of my machines I see the following:
>
> [root at hudson ~]# ipsec status
> Routed Connections:
>         Data{1}:  ROUTED, TUNNEL
>         Data{1}:   192.168.0.0/21 === 10.100.0.0/23
> Security Associations (1 up, 0 connecting):
>         Data[6]: ESTABLISHED 14 minutes ago, 50.255.159.181[C=US, ST=XX, O=something, OU=Some Dept, CN=hostname.domain.dom]...XX.YY.ZZ.XX[C=US, ST=XX, O=something, OU=Some Dept, CN=domain.dom]
>         Data{1}:  INSTALLED, TUNNEL, ESP SPIs: c7efeef8_i c583fdba_o, IPCOMP CPIs: bf58_i c959_o
>         Data{1}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{1}:  INSTALLED, TUNNEL, ESP SPIs: c5f5025b_i cfeb18ba_o, IPCOMP CPIs: 0a35_i d9e7_o
>         Data{1}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{1}:  INSTALLED, TUNNEL, ESP SPIs: c0f0123d_i c9452af2_o, IPCOMP CPIs: 5026_i cc69_o
>         Data{1}:   192.168.0.0/21 === 10.100.0.0/23
>
> Why are there three Child SAs installed if the tunnel has only been up for 14 minutes and ikelifetime=8h and keylife=1h?
>
> Tom
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU2PrjAAoJEDg5KY9j7GZYgfAP/0Lifk0yoEqp7mztHDSTu9hg
DP1wTBCEu7XXRMHXmeAyy+4SWybN2k61OvhDDqC6XLSWfKPwmyTUSZ1gMzpBixbp
TvxJwq+ANO/IXr6zHDbogPlbyc+gkd9coIZgnmLl5v9Uh9A9IpcIPFdcTOJZFIN0
hqAzptboC/7x988U3DzXm5QpCZwekrBU3I5RJwVcEU5uDcVwca/O2StW7vQGp8H7
hXoboCWVhgF65m0DeRdUIp01oU53d0aab1BDXHvXXq4yRxThnmxjIU+nrgFD1D/H
Y5qsewgxdQsN8tpqZl9+fr9lHRvxMqdib+1H7cYgLj4P8/Jl73fc7VOHMtDu0kNM
etO0LYr+ILZH44bobUT9p4gW2Pz4LfB7mn9//3VpA0jFckjMNJnwj2Zee7OQqT3g
j7is5OokOK3xUDY6KbE0QHISOVyf8kTNsXjKdh1avYLHD3vyrTErHuXMMyv16Cd8
GroBsR2CMQ86fDxbMmEamchA4QkGO+OML8ZCTwawW1H+An7Q1oFWtPR3naU4L3+u
emQE6uPDt3W/Z9FtTNqCP7iJBW/lyuCMaBQd/yc3UxA9FMrtHlpwyafTEM97ONsJ
Y8a+kR1SSQgZPLiHVxtgWvwKMTImF36CblV0k2c8MLJ8aKAuZP903IZ9qZzH3YmI
gg69i/aVlyj+uu0u55Yn
=qJas
-----END PGP SIGNATURE-----



More information about the Users mailing list