[strongSwan] duplicate SA
Will O'Neill
will at intellidesign.com.au
Thu Apr 14 08:55:05 CEST 2016
Hello,
I am trying to connect a device running Strongswan 5.3.2 to a Cisco
router. It seems to establish the connection okay, but the router
rejects the connection after 30s with a duplicate SA bundle error:
Mar 31 15:16:13.229: IPSEC(update_current_outbound_sa): get enable SA
peer a.b.c.d current outbound sa to SPI CD941510
Mar 31 15:16:13.229: IPSEC(update_current_outbound_sa): updated peer
a.b.c.d current outbound sa to SPI CD941510
Mar 31 15:16:13.229: IPSEC(early_age_out_sibling): sibling outbound SPI
C87A68EE expiring in 30 seconds due to it's a duplicate SA bundle.
It will do this continuously, creating connections which are dropped
after 30 seconds. This is the status from the device attempting to
connect to the router (the SPI values are from a different session):
root at openwrt:/# ipsec status
Security Associations (1 up, 0 connecting):
tunnel1-test[1]: ESTABLISHED 5 seconds ago,
a.b.c.d[a.b.c.d]...w.x.y.z[w.x.y.z]
tunnel1-test{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c964a872_i
122fdfe2_o
tunnel1-test{1}: aa.bb.cc.dd/28 === ww.xx.yy.zz/24
This is my ipsec.conf:
conn tunnel1-test
keyexchange=ikev1
left=a.b.c.d
right=w.x.y.z
leftsubnet=aa.bb.cc.dd/28
leftauth=psk
rightauth=psk
rightsubnet=ww.xx.yy.zz/24
auto=start
esp=aes256-sha1-modp1536
ike=aes256-sha1-modp1536
type=tunnel
Does anyone know what might cause this issue?
Will.
More information about the Users
mailing list