[strongSwan] 60+ SAs listed in ipsec status output?

Noel Kuntze noel at familie-kuntze.de
Fri Feb 27 20:54:14 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tom,

What are the expiry times for those SAs?
And do you have a log of a rekey event?

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 25.02.2015 um 15:57 schrieb trymes at rymes.com:
> I have a tunnel between two Strongswan boxes that is set to rekey IKE every 8 hours and rekey the SA every 1 hour. Here is the local ipsec.conf (the other side is the same, but has a dozen other tunnels, too):
>
> [root at hudson ~]# cat /etc/ipsec.conf
> version 2
>
> conn %default
>         keyingtries=%forever
>
> include /etc/ipsec.user.conf
>
> conn Data
>         left=ipa.ddr.ess.a
>         leftsubnet=192.168.0.0/21
>         leftfirewall=yes
>         lefthostaccess=yes
>         right=ipa.ddr.ess.b
>         rightsubnet=10.100.0.0/23
>         leftcert=/var/ipfire/certs/hostcert.pem
>         rightcert=/var/ipfire/certs/Datacert.pem
>         leftid="@hosta.mydom.dom"
>         rightid="@mydom.dom"
>         ike=aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp,aes128-sha2_256-ecp512bp,aes128-sha2_256-ecp384bp,aes128-sha2_256-ecp256bp,aes128-sha2_256-ecp224bp
>         esp=aes256-sha2_256,aes256-sha2_256,aes256-sha2_256,aes256-sha2_256,aes192-sha2_256,aes192-sha2_256,aes192-sha2_256,aes192-sha2_256,aes128-sha2_256,aes128-sha2_256,aes128-sha2_256,aes128-sha2_256
>         keyexchange=ikev2
>         ikelifetime=8h
>         keylife=1h
>         compress=yes
>         dpdaction=restart
>         dpddelay=120
>         dpdtimeout=30
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         auto=route
>
> For some reason, if I leave the machine to its own devices, the output of ipsec status ends up littered with old (?) SA entries, that make no sense to me. Why would this be happening?:
>
> Routed Connections:
>         Data{4}:  ROUTED, TUNNEL
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
> Security Associations (1 up, 0 connecting):
>         Data[286]: ESTABLISHED 33 minutes ago, ipa.ddr.ess.a[C=US, ST=NH, O=Mydom, OU=Engineering Dept, CN=hosta.mydom.dom]...ipa.ddr.ess.b[C=US, ST=NH, O=Mydom, OU=Engineering Dept, CN=mydom.dom]
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c8107662_i c89e3611_o, IPCOMP CPIs: 43cf_i 36be_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cb693600_i c09bb1e2_o, IPCOMP CPIs: b74b_i 2a3a_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cf34c325_i c8ae364f_o, IPCOMP CPIs: 04c8_i db51_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c6450374_i c89d0fd0_o, IPCOMP CPIs: b2d5_i 8f17_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ccb82be4_i cb8c6de5_o, IPCOMP CPIs: cc2f_i 7485_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c046292d_i cb9c5941_o, IPCOMP CPIs: e1ef_i eb0b_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c46c40fa_i c8cb22a6_o, IPCOMP CPIs: 7468_i 1a4e_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c7471719_i ceb7ebfb_o, IPCOMP CPIs: abd5_i 15fd_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c79e5c03_i c47d2958_o, IPCOMP CPIs: 3646_i 32ee_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c34675de_i c8e2a79b_o, IPCOMP CPIs: 268c_i b0c6_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c000d12c_i cb8c4f5f_o, IPCOMP CPIs: 48e4_i 10ff_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cdf3f6f1_i c268a557_o, IPCOMP CPIs: 2d38_i 2aa2_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c79415e3_i c145e90e_o, IPCOMP CPIs: e71d_i 689e_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cb6195e9_i c6e07cf3_o, IPCOMP CPIs: e0a9_i 71e5_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c47ffca9_i cbed8f2e_o, IPCOMP CPIs: 6fd0_i 1fc1_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c64f97ef_i c848ff51_o, IPCOMP CPIs: 088f_i 474d_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cfc07514_i cddf8c9b_o, IPCOMP CPIs: 151a_i 3337_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c2c00cee_i c82e3f90_o, IPCOMP CPIs: 8b0a_i d772_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c85abeb0_i cc4c2e4e_o, IPCOMP CPIs: b555_i 81aa_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c81f806b_i c0306bc7_o, IPCOMP CPIs: 2e43_i cf80_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c6c84f47_i cfeba8e0_o, IPCOMP CPIs: bc1d_i a254_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c69d17ba_i c37897ce_o, IPCOMP CPIs: aba2_i 5f2a_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c5a00085_i c4a57cc2_o, IPCOMP CPIs: 5a4e_i 7d3f_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c215cccf_i c39189c7_o, IPCOMP CPIs: cbc0_i cca5_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cdecc674_i c69b25e0_o, IPCOMP CPIs: 02c8_i 2455_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c48e833c_i c2a4dfbf_o, IPCOMP CPIs: 661f_i 538f_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: caa75e76_i c12cc69a_o, IPCOMP CPIs: cd15_i 4b82_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c8bd236e_i cc87ab7e_o, IPCOMP CPIs: 2cf0_i 5af3_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ccbc7326_i c4915ce9_o, IPCOMP CPIs: d521_i 73fd_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cbcee921_i c083c7fd_o, IPCOMP CPIs: 5c7c_i a4f8_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c68c95ca_i c236acf7_o, IPCOMP CPIs: 84b9_i 25e4_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cf360eb7_i c1bc6bf3_o, IPCOMP CPIs: b00a_i 3ed0_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c36aa52d_i cad1829c_o, IPCOMP CPIs: 3129_i 63dd_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ccb7c2f3_i ca3ed163_o, IPCOMP CPIs: 3567_i 7414_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cdaaf579_i cd8ebedd_o, IPCOMP CPIs: 6925_i dd15_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c0ce87f3_i cfadc88c_o, IPCOMP CPIs: 594c_i bb95_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c95960b8_i c8d25352_o, IPCOMP CPIs: 9194_i d5c4_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c63d63ae_i cc0e5c58_o, IPCOMP CPIs: a8c4_i c161_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cca8cebe_i ca0569b3_o, IPCOMP CPIs: 566c_i a0c1_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c691060e_i c5def222_o, IPCOMP CPIs: 62ca_i 5690_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c7c7e585_i c0a0c775_o, IPCOMP CPIs: e8bd_i 293c_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c4d48fdc_i ceb61cba_o, IPCOMP CPIs: 8991_i b6f9_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ced828be_i c7d56f5f_o, IPCOMP CPIs: bcb2_i b9eb_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ca3f45da_i c0c79522_o, IPCOMP CPIs: ba4c_i 99f7_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ca7f6ab0_i c7eba181_o, IPCOMP CPIs: a1d3_i cff5_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c378fcaf_i c63f670a_o, IPCOMP CPIs: 6adb_i d3a9_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c9be3ecf_i cba43697_o, IPCOMP CPIs: cc22_i 2354_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ce07150f_i c80a7d81_o, IPCOMP CPIs: bc4a_i 25a5_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c068b193_i c8948fd2_o, IPCOMP CPIs: 0efd_i 6ae4_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c33c8f8d_i c1c9412e_o, IPCOMP CPIs: ca72_i ac5a_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cfcf3d65_i c17baafc_o, IPCOMP CPIs: 8d43_i eaa9_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c57d3af6_i c6313ffa_o, IPCOMP CPIs: 906b_i e004_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c2cbb45e_i c3ca70b6_o, IPCOMP CPIs: 9b8e_i 0c91_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cf03f565_i c80652b4_o, IPCOMP CPIs: dd66_i 0a02_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c6d4c13b_i ca4f439d_o, IPCOMP CPIs: 62cb_i bc11_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: ccc32791_i cb867286_o, IPCOMP CPIs: 21e2_i dff6_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c6d30b14_i ce8409d7_o, IPCOMP CPIs: 4cb1_i 0b8c_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cf651289_i c866cd6c_o, IPCOMP CPIs: 952e_i d373_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c45cf3d9_i cef8adee_o, IPCOMP CPIs: c4fd_i 9b91_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c9460c4a_i c01a0772_o, IPCOMP CPIs: 8156_i 3f64_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c0e540a0_i c25c0c90_o, IPCOMP CPIs: b79a_i 4a20_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c8549e60_i c2f4ed89_o, IPCOMP CPIs: e5ae_i b579_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cbb0a8a5_i c321c81b_o, IPCOMP CPIs: 2ffb_i 6f8c_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c9b341ff_i c377120e_o, IPCOMP CPIs: e66e_i c7eb_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c9ab1fe9_i cee4f47d_o, IPCOMP CPIs: b271_i b5d6_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c11494be_i c5f39054_o, IPCOMP CPIs: 76ea_i 5013_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cad43add_i c18a8762_o, IPCOMP CPIs: a285_i b772_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: c1b36076_i c5dc4f4a_o, IPCOMP CPIs: 0660_i 1804_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
>         Data{4}:  INSTALLED, TUNNEL, ESP SPIs: cc8fa6de_i cf68af3a_o, IPCOMP CPIs: 3232_i 5260_o
>         Data{4}:   192.168.0.0/21 === 10.100.0.0/23
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU8MtkAAoJEDg5KY9j7GZYObMP/ipyvpZZRweo4fQfhfuLCu7S
epijVlK47rhsbD4UJnux1DiLT9BmBzdudh3A/lebdLLM30dp80aXWIiLLmbfoEdK
fv53yVwuKdvCfrz/mJVhshB/Khd4kZj2U/unTv6koUcL4+cm8/ZKC4+fTjVat3hO
hu4XOPxO2VjTGRcTYtDfh+50kdkuV6/Bv4YLb4gqCeK6Kip8lBabwe8Sm8hH6BWx
viAOH+AdZs+v59JbsclPqC0ykOnLE+wnEVTp3w5jpgqCAth7cqkzs8twPK3UYfrA
LKRpSV+5sY1dsvp0wsESDa4hw1qoFNWBl7mpcI0qLhNN+KpcTrw7R0S6pHnFVGTt
/cRKCdZcUK5KDhqS71uyHhhpPIJwIRkDmjrsQnIo3HN2f288yhQUMZUPvo0nLGjY
tEFyN/4LLXIeACgeuBO+uh8y5VE038p3FAXXktNNn8Ni189D8DTMuOBAf2kxjUTX
ABr/AelBtM5+o+R5JNqtJgifKwKZiH6Lhv7RH9FNRZbNF+RFJhT9IEZwXaqNEj7F
MMrAnpvnshoUPQuf1XkZ5kacXCPamNyDYP8wzwl4jrlDlSQGTitoWIXSlskx/zKB
hiBPyNg2n2GrjdfJpqDMXmeZOUdpz7MYfHpHrjrggLOFHN9+4jyi+7dTPstwhow4
YHpMr62OS87zFRuOqk/W
=RxWY
-----END PGP SIGNATURE-----



More information about the Users mailing list