[strongSwan] Duplicate checking: duplicheck and uniqueids not working
Tom Matthews
tom at axiom-partners.com
Sun Jul 26 11:24:35 CEST 2015
Change dpdaction to clear?
> On 26 Jul 2015, at 09:34, Tiago Vasconcelos <tiago.o.vasconcelos at gmail.com> wrote:
>
> I'm getting duplicate SAs:
>
> Routed Connections:
> nyc{1}: ROUTED, TUNNEL, reqid 1
> nyc{1}: 10.71.4.0/24 === 172.30.98.0/25
> Security Associations (1 up, 0 connecting):
> nyc[23]: ESTABLISHED 25 minutes ago,
> 47.11.120.10[par.xyz.com]...32.254.201.10[nyc.xyz.com]
> nyc{203}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caa1aee8_i cbea4bcf_o
> nyc{203}: 10.71.4.0/24 === 172.30.98.0/25
> nyc{204}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ceabd81b_i c4139b82_o
> nyc{204}: 10.71.4.0/24 === 172.30.98.0/25
> nyc{205}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cffa7d5a_i c39ea537_o
> nyc{205}: 10.71.4.0/24 === 172.30.98.0/25
> nyc{206}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6595d8f_i ca9cee83_o
> nyc{206}: 10.71.4.0/24 === 172.30.98.0/25
> nyc{207}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca494b8e_i c9009c65_o
> nyc{207}: 10.71.4.0/24 === 172.30.98.0/25
>
>
> Even though I have set in ipsec.conf:
>
> uniqueids=yes
>
>
> and I have a .conf file inside strongswan.d directory containing the following:
>
> charon {
> plugins {
> duplicheck {
> enable = yes
> }
> }
> }
>
>
> and in strongswan.conf I have:
>
> include strongswan.d/*.conf
>
>
> Why am I still getting duplicates?
>
>
> For reference, here's my ipsec.conf:
>
>
> config setup
> uniqueids=yes
>
> conn %default
> left=47.11.120.10
> leftsubnet=10.71.4.0/24
> leftid=@par.xyz.com
> leftcert=parcert.pem
> mobike=no
> leftfirewall=yes
> lefthostaccess=yes
> ikelifetime=4h
> lifetime=3h
> dpdaction=restart
> dpddelay=10s
>
> conn d01
> right=32.254.201.10
> rightid=@nyc.xyz.com
> rightsubnet=172.30.98.0/25,%dynamic
> auto=route
>
>
> Tiago
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list