[strongSwan] duplicate IPsec SAs

Jeff jwamsc at gmail.com
Wed Dec 20 00:15:41 CET 2017 

I need the following VPN configuration:

* "star" architecture: single central responder, multiple initiators.
* Initiators may have dynamic or NAT'ed IPs.
* Exactly one VPN between responder and each initiator.
* Each VPN is "always up" to allow access from responder to any
initiator at any time.
* Periodic IKEv2 reauthentication is required to enforce X.509 CRLs.
* Small outages during rekey, reauth are permissible.

My config:
responder: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM. Config attached.
initiators: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM.
Config attached.

The issue: As time passes, I see multiple IPsec SAs accumulate between
responder and some initiators.

Question: How to configure for exactly one VPN between responder and
each initiator?

I suspect that adding a combination of
connections.<conn>.unique
    and
charon.make_before_break

will fix my issue.  Advice on config change is requested.

thanks,
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initiator-strongswan.conf
Type: application/octet-stream
Size: 281 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171219/15458e21/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initiator-swanctl.conf
Type: application/octet-stream
Size: 726 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171219/15458e21/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: responder-strongswan.conf
Type: application/octet-stream
Size: 281 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171219/15458e21/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: responder-swanctl.conf
Type: application/octet-stream
Size: 1213 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171219/15458e21/attachment-0003.obj>

More information about the Users mailing list