[strongSwan] OSPF == tons of security associations

Hose hose+strongswan at bluemaggottowel.com
Fri Dec 9 19:52:27 CET 2016

I'm currently running a fairly large network of hosts connected to each
other in transport mode running strongswan 5.2.1 on Debian stable. A
number of GRE tunnels run between all the hosts, with OSPF on top of the
GRE tunnels to handle all the routing. It all works fine except for one
thing: Instead of the OSPF packets re-utilizing existing security
associations often times it instead triggers a new SA to be created.
Does anyone know why this is happening? By excessive, I mean roughly 10
active SAs after a day or two, and they keep re-keying themselves.
Additional SAs will slowly be added until I have little choice except to
restart strongswan to clear them all out.

If I set up a session without OSPF the excessive SAs do not appear. Each
of these excessive SAs has barely any traffic on it, such as below:

       plato{1}:  AES_GCM_8_128, 3457 bytes_i (30 pkts, 7s ago), 752
bytes_o (11 pkts, 407s ago), rekeying in 30 minutes

       plato{1}:  AES_GCM_8_128, 7868 bytes_i (87 pkts, 7s ago), 5404
bytes_o (74 pkts, 407s ago), rekeying in 30 minutes

       plato{1}:  AES_GCM_8_128, 5789 bytes_i (69 pkts, 7s ago), 3976
bytes_o (58 pkts, 407s ago), rekeying in 35 minutes

The odd thing is that some of the hosts have a handful of SAs, while one
of them has over 30 in four days. It's not affecting connectivity, it's
just... odd. There are no weird logs other than the usual SA
creation/deletion messages.

This is utilizing IKEv2.

More information about the Users mailing list