[strongSwan] 60+ SAs listed in ipsec status output?
trymes at rymes.com
trymes at rymes.com
Wed Feb 25 15:57:31 CET 2015
I have a tunnel between two Strongswan boxes that is set
to rekey IKE every 8 hours and rekey the SA every 1 hour.
Here is the local ipsec.conf (the other side is the same,
but has a dozen other tunnels, too):
[root at hudson ~]# cat /etc/ipsec.conf
version 2
conn %default
keyingtries=%forever
include /etc/ipsec.user.conf
conn Data
left=ipa.ddr.ess.a
leftsubnet=192.168.0.0/21
leftfirewall=yes
lefthostaccess=yes
right=ipa.ddr.ess.b
rightsubnet=10.100.0.0/23
leftcert=/var/ipfire/certs/hostcert.pem
rightcert=/var/ipfire/certs/Datacert.pem
leftid="@hosta.mydom.dom"
rightid="@mydom.dom"
ike=aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp,aes128-sha2_256-ecp512bp,aes128-sha2_256-ecp384bp,aes128-sha2_256-ecp256bp,aes128-sha2_256-ecp224bp
esp=aes256-sha2_256,aes256-sha2_256,aes256-sha2_256,aes256-sha2_256,aes192-sha2_256,aes192-sha2_256,aes192-sha2_256,aes192-sha2_256,aes128-sha2_256,aes128-sha2_256,aes128-sha2_256,aes128-sha2_256
keyexchange=ikev2
ikelifetime=8h
keylife=1h
compress=yes
dpdaction=restart
dpddelay=120
dpdtimeout=30
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=route
For some reason, if I leave the machine to its own
devices, the output of ipsec status ends up littered with
old (?) SA entries, that make no sense to me. Why would
this be happening?:
Routed Connections:
Data{4}: ROUTED, TUNNEL
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Security Associations (1 up, 0 connecting):
Data[286]: ESTABLISHED 33 minutes ago,
ipa.ddr.ess.a[C=US, ST=NH, O=Mydom, OU=Engineering Dept,
CN=hosta.mydom.dom]...ipa.ddr.ess.b[C=US, ST=NH, O=Mydom,
OU=Engineering Dept, CN=mydom.dom]
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c8107662_i
c89e3611_o, IPCOMP CPIs: 43cf_i 36be_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cb693600_i
c09bb1e2_o, IPCOMP CPIs: b74b_i 2a3a_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cf34c325_i
c8ae364f_o, IPCOMP CPIs: 04c8_i db51_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c6450374_i
c89d0fd0_o, IPCOMP CPIs: b2d5_i 8f17_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ccb82be4_i
cb8c6de5_o, IPCOMP CPIs: cc2f_i 7485_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c046292d_i
cb9c5941_o, IPCOMP CPIs: e1ef_i eb0b_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c46c40fa_i
c8cb22a6_o, IPCOMP CPIs: 7468_i 1a4e_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c7471719_i
ceb7ebfb_o, IPCOMP CPIs: abd5_i 15fd_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c79e5c03_i
c47d2958_o, IPCOMP CPIs: 3646_i 32ee_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c34675de_i
c8e2a79b_o, IPCOMP CPIs: 268c_i b0c6_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c000d12c_i
cb8c4f5f_o, IPCOMP CPIs: 48e4_i 10ff_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cdf3f6f1_i
c268a557_o, IPCOMP CPIs: 2d38_i 2aa2_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c79415e3_i
c145e90e_o, IPCOMP CPIs: e71d_i 689e_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cb6195e9_i
c6e07cf3_o, IPCOMP CPIs: e0a9_i 71e5_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c47ffca9_i
cbed8f2e_o, IPCOMP CPIs: 6fd0_i 1fc1_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c64f97ef_i
c848ff51_o, IPCOMP CPIs: 088f_i 474d_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cfc07514_i
cddf8c9b_o, IPCOMP CPIs: 151a_i 3337_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c2c00cee_i
c82e3f90_o, IPCOMP CPIs: 8b0a_i d772_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c85abeb0_i
cc4c2e4e_o, IPCOMP CPIs: b555_i 81aa_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c81f806b_i
c0306bc7_o, IPCOMP CPIs: 2e43_i cf80_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c6c84f47_i
cfeba8e0_o, IPCOMP CPIs: bc1d_i a254_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c69d17ba_i
c37897ce_o, IPCOMP CPIs: aba2_i 5f2a_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c5a00085_i
c4a57cc2_o, IPCOMP CPIs: 5a4e_i 7d3f_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c215cccf_i
c39189c7_o, IPCOMP CPIs: cbc0_i cca5_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cdecc674_i
c69b25e0_o, IPCOMP CPIs: 02c8_i 2455_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c48e833c_i
c2a4dfbf_o, IPCOMP CPIs: 661f_i 538f_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: caa75e76_i
c12cc69a_o, IPCOMP CPIs: cd15_i 4b82_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c8bd236e_i
cc87ab7e_o, IPCOMP CPIs: 2cf0_i 5af3_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ccbc7326_i
c4915ce9_o, IPCOMP CPIs: d521_i 73fd_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cbcee921_i
c083c7fd_o, IPCOMP CPIs: 5c7c_i a4f8_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c68c95ca_i
c236acf7_o, IPCOMP CPIs: 84b9_i 25e4_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cf360eb7_i
c1bc6bf3_o, IPCOMP CPIs: b00a_i 3ed0_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c36aa52d_i
cad1829c_o, IPCOMP CPIs: 3129_i 63dd_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ccb7c2f3_i
ca3ed163_o, IPCOMP CPIs: 3567_i 7414_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cdaaf579_i
cd8ebedd_o, IPCOMP CPIs: 6925_i dd15_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c0ce87f3_i
cfadc88c_o, IPCOMP CPIs: 594c_i bb95_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c95960b8_i
c8d25352_o, IPCOMP CPIs: 9194_i d5c4_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c63d63ae_i
cc0e5c58_o, IPCOMP CPIs: a8c4_i c161_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cca8cebe_i
ca0569b3_o, IPCOMP CPIs: 566c_i a0c1_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c691060e_i
c5def222_o, IPCOMP CPIs: 62ca_i 5690_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c7c7e585_i
c0a0c775_o, IPCOMP CPIs: e8bd_i 293c_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c4d48fdc_i
ceb61cba_o, IPCOMP CPIs: 8991_i b6f9_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ced828be_i
c7d56f5f_o, IPCOMP CPIs: bcb2_i b9eb_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ca3f45da_i
c0c79522_o, IPCOMP CPIs: ba4c_i 99f7_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ca7f6ab0_i
c7eba181_o, IPCOMP CPIs: a1d3_i cff5_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c378fcaf_i
c63f670a_o, IPCOMP CPIs: 6adb_i d3a9_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c9be3ecf_i
cba43697_o, IPCOMP CPIs: cc22_i 2354_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ce07150f_i
c80a7d81_o, IPCOMP CPIs: bc4a_i 25a5_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c068b193_i
c8948fd2_o, IPCOMP CPIs: 0efd_i 6ae4_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c33c8f8d_i
c1c9412e_o, IPCOMP CPIs: ca72_i ac5a_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cfcf3d65_i
c17baafc_o, IPCOMP CPIs: 8d43_i eaa9_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c57d3af6_i
c6313ffa_o, IPCOMP CPIs: 906b_i e004_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c2cbb45e_i
c3ca70b6_o, IPCOMP CPIs: 9b8e_i 0c91_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cf03f565_i
c80652b4_o, IPCOMP CPIs: dd66_i 0a02_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c6d4c13b_i
ca4f439d_o, IPCOMP CPIs: 62cb_i bc11_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: ccc32791_i
cb867286_o, IPCOMP CPIs: 21e2_i dff6_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c6d30b14_i
ce8409d7_o, IPCOMP CPIs: 4cb1_i 0b8c_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cf651289_i
c866cd6c_o, IPCOMP CPIs: 952e_i d373_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c45cf3d9_i
cef8adee_o, IPCOMP CPIs: c4fd_i 9b91_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c9460c4a_i
c01a0772_o, IPCOMP CPIs: 8156_i 3f64_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c0e540a0_i
c25c0c90_o, IPCOMP CPIs: b79a_i 4a20_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c8549e60_i
c2f4ed89_o, IPCOMP CPIs: e5ae_i b579_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cbb0a8a5_i
c321c81b_o, IPCOMP CPIs: 2ffb_i 6f8c_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c9b341ff_i
c377120e_o, IPCOMP CPIs: e66e_i c7eb_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c9ab1fe9_i
cee4f47d_o, IPCOMP CPIs: b271_i b5d6_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c11494be_i
c5f39054_o, IPCOMP CPIs: 76ea_i 5013_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cad43add_i
c18a8762_o, IPCOMP CPIs: a285_i b772_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: c1b36076_i
c5dc4f4a_o, IPCOMP CPIs: 0660_i 1804_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
Data{4}: INSTALLED, TUNNEL, ESP SPIs: cc8fa6de_i
cf68af3a_o, IPCOMP CPIs: 3232_i 5260_o
Data{4}: 192.168.0.0/21 === 10.100.0.0/23
More information about the Users
mailing list