[strongSwan] two road runners collide ?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Dec 28 14:14:08 CET 2017


Hi,

Yes, the problem is caused by your reuse of certificates. strongSwan identifies initiators by their ID by default (it's the only way to detect rekeyings and delete the previous SA correctly).
You need to create a new certificate for each initiator.

Kind regards

Noel

On 26.12.2017 17:48, lejeczek wrote:
> hi people
>
> I have a server and a roadwarrior connects to the server fine,config uses certificates, all seems ok.
> Then I've tried to setup a second RR, I use the same setting same certs, only IP is different, naturally.
>
> But, there I have a problem, it must be trivial - I believe many simultaneous clients for strongwan is a norm - when the first client is connect and all is fine and the second clientconnects, also successfully, then first client gets disconnected!?
>
> I guess, my first question would be - can my clients use the same one certificate? It is why the server disconnects one, because both clients use the same cert?
>
> Being merely a user(not a an expert) I can guess this might be telling you more:
>
> 13[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
> 09[CFG] detected duplicate IKE_SA for 'O=my, CN=my.dom', triggering delete for old IKE_SA
> 11[IKE] destroying IKE_SA in state DELETING without notification
> 09[IKE] sending end entity cert "O=my, CN=my.dom"
> 11[CFG] delete for duplicate IKE_SA 'O=my, CN=my.dom' timed out, keeping new IKE_SA
> 09[IKE] peer requested virtual IP 10.3.1.221
>
> many thanks, L.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171228/336eccfc/attachment.sig>


More information about the Users mailing list