[strongSwan] Two IKE_SAs getting established for a same connection before lifetime expiry.
Kumar S, Harsha (Nokia - IN/Bangalore)
harsha.kumar_s at nokia.com
Tue Oct 6 13:15:45 CEST 2015
Hi,
I am facing a weird behaviour in strongSwan version 4.3.6, where there are multiple(2) IKE_SAs getting created for the same tunnel as soon as I start a bi-directional traffic.
peer1--------------------peer2
IKE version: 2
IKE Lifetime: 24Hrs
Lifetime: 12Hrs
DPD action: restart
>From the logs I could see that the peer1 is initiating an IKE_SA, parameters are negotiated and one set of IKE_SA and IPSEC_SAs are formed. Within a short duration peer2 requests for a connection(not sure why this is happening) and another set of IKE_SA and IPSEC_SAs are getting established.
After this DPD is active and it fails to get DPD response, after 5 retransmits it restarts the SAs and now another set of IKE and IPSEC_SAs get established and this continues to have a large number of IPSec SAs built up after sometime.
Can anyone explain what is happening here?
How can there be new IKE SA, getting established successfully for same connection before the existing one expires?
Also, given that is possible, shouldn't the peer respond to DPD requests of both the IKE_SAs(or all IKE SPIs on that connection)?
Thanks,
Harsha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151006/e264c0c0/attachment.html>
More information about the Users
mailing list