[strongSwan] duplicate SA

Will O'Neill will at intellidesign.com.au
Thu Apr 14 08:55:05 CEST 2016


Hello,

I am trying to connect a device running Strongswan 5.3.2 to a Cisco 
router.  It seems to establish the connection okay, but the router 
rejects the connection after 30s with a duplicate SA bundle error:

Mar 31 15:16:13.229: IPSEC(update_current_outbound_sa): get enable SA 
peer a.b.c.d current outbound sa to SPI CD941510
Mar 31 15:16:13.229: IPSEC(update_current_outbound_sa): updated peer 
a.b.c.d current outbound sa to SPI CD941510
Mar 31 15:16:13.229: IPSEC(early_age_out_sibling): sibling outbound SPI 
C87A68EE expiring in 30 seconds due to it's a duplicate SA bundle.

It will do this continuously, creating connections which are dropped 
after 30 seconds.  This is the status from the device attempting to 
connect to the router (the SPI values are from a different session):

root at openwrt:/# ipsec status
Security Associations (1 up, 0 connecting):
tunnel1-test[1]: ESTABLISHED 5 seconds ago, 
a.b.c.d[a.b.c.d]...w.x.y.z[w.x.y.z]
tunnel1-test{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c964a872_i 
122fdfe2_o
tunnel1-test{1}:   aa.bb.cc.dd/28 === ww.xx.yy.zz/24

This is my ipsec.conf:

conn tunnel1-test
   keyexchange=ikev1
   left=a.b.c.d
   right=w.x.y.z
   leftsubnet=aa.bb.cc.dd/28
   leftauth=psk
   rightauth=psk
   rightsubnet=ww.xx.yy.zz/24
   auto=start
   esp=aes256-sha1-modp1536
   ike=aes256-sha1-modp1536
   type=tunnel

Does anyone know what might cause this issue?

Will.



More information about the Users mailing list