[strongSwan] Multiple SAs immediately after connection
Tom Rymes
trymes at rymes.com
Fri Sep 30 05:16:28 CEST 2016
I have occasionally seen this over the years, and I am not certain if it’s anything I should be concerned about. If I start a tunnel named mytunnel, this is what it looks like on the CLI:
[root at mainoffice ~]# ipsec up mytunnel
received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(1/4) ]
received fragment #1 of 4, waiting for complete IKE message
received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(2/4) ]
received fragment #2 of 4, waiting for complete IKE message
received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(3/4) ]
received fragment #3 of 4, waiting for complete IKE message
received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (212 bytes)
parsed IKE_AUTH response 1 [ EF(4/4) ]
received fragment #4 of 4, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
received end entity cert "C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com"
using trusted ca certificate "C=US, ST=NH, L=mytunnel, O=MyCompany, OU=Engineering Dept, CN=MyCompany CA, E=tomr at mycompany.com"
checking certificate status of "C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com"
certificate status is not available
reached self-signed root ca with a path length of 0
using trusted certificate "C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com"
authentication of 'C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com' with RSA_EMSA_PKCS1_SHA256 successful
IKE_SA mytunnel[248] established between YYY.YYY.YYY.YYY[C=US, ST=NH, O=MyCompany, OU=Engineering Dept., CN=mainoffice.mycompany.com]...XXX.XXX.XXX.XXX[C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com]
scheduling reauthentication in 27760s
maximum IKE_SA lifetime 28300s
CHILD_SA mytunnel{6530} established with SPIs c810ef9a_i cbe44831_o and TS 10.100.0.0/23 === 10.8.0.0/23
connection 'mytunnel' established successfully
Then, if I look at the status output for that tunnel, I see two “INSTALLED” entries, even though the tunnel has only been established for 5 seconds. My understanding was that I should only have a new entry show up as “INSTALLED” every time the phase 2 settings are re-keyed, which is every one hour.
[root at mainoffice ~]# ipsec status mytunnel
Routed Connections:
mytunnel{6454}: ROUTED, TUNNEL, reqid 181
mytunnel{6454}: 10.100.0.0/23 === 10.8.0.0/23
Security Associations (25 up, 0 connecting):
mytunnel[248]: ESTABLISHED 5 seconds ago, YYY.YYY.YYY.YYY[C=US, ST=NH, O=MyCompany, OU=Engineering Dept., CN=mainoffice.mycompany.com]...XXX.XXX.XXX.XXX[C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com]
mytunnel{6530}: INSTALLED, TUNNEL, reqid 181, ESP SPIs: c810ef9a_i cbe44831_o, IPCOMP CPIs: 0ff7_i 4f82_o
mytunnel{6530}: 10.100.0.0/23 === 10.8.0.0/23
mytunnel{6531}: INSTALLED, TUNNEL, reqid 181, ESP SPIs: c9c5f628_i c768a908_o, IPCOMP CPIs: d873_i 177f_o
mytunnel{6531}: 10.100.0.0/23 === 10.8.0.0/23
This is the entry for this tunnel in ipsec.conf:
conn mytunnel
left=YYY.YYY.YYY.YYY
leftsubnet=10.100.0.0/23
leftfirewall=yes
lefthostaccess=yes
right=XXX.XXX.XXX.XXX
rightsubnet=10.8.0.0/23
leftcert=/var/ipfire/certs/hostcert.pem
rightcert=/var/ipfire/certs/remoteofficecert.pem
leftid="@mainoffice.mycompany.com"
rightid="@remoteoffice.mycompany.com"
ike=aes256-sha2_512-ecp512bp!
esp=aes256-sha2_512-ecp512bp!
keyexchange=ikev2
ikelifetime=8h
keylife=1h
compress=yes
dpdaction=clear
dpddelay=30
dpdtimeout=120
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=route
fragmentation=yes
I don’t know if this is something I should be concerned about, or if it’s nothing to worry about , but I wanted to reach out and ask.
Tom
More information about the Users
mailing list