[strongSwan] host to host auto start recommendation

Piyush Agarwal agarwalpiyush at gmail.com
Wed May 3 19:55:41 CEST 2017

I am trying to get a host to host tunnel up between two Ubuntu 14.04
machines. Either or both of these machines could be behind NAT as well, not
sure if that matters for this question, but FYI.

I'd think I need to specify auto=start on both the machines since either
could be the initiator.
However, if I do this, I see two entries for IKE_SAs and one entry for the
IPsec SA.

*Log with uniqueids=yes:*
Security Associations (2 up, 0 connecting):[5]: ESTABLISHED 24 seconds ago,[C=US, ST=CA,
L=Texas]...[C=US, ST=CA, L=Texas][4]: ESTABLISHED 28 seconds ago,[C=US, ST=CA,
L=Texas]...[C=US, ST=CA, L=Texas]{3}:  INSTALLED, TRANSPORT, ESP SPIs: c3b2d3f8_i c7d9c0d2_o{3}: ===

Few seconds later:
Security Associations (1 up, 0 connecting):[6]: ESTABLISHED 2 seconds ago,[C=US, ST=CA,
L=Texas]...[C=US, ST=CA, L=Texas]

Also, I see lot of "failed to establish CHILD_SA, keeping IKE_SA" in logs.
The reasons before this line seem to be either:

1) received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
2) unable to install policy === in (mark
0/0x00000000) for reqid 2, the same policy for reqid 1 exists

What is happening here? Is it the case that after A->B
(initiator->responder) IPsec SA is up, B is attempting B->A again? And if
uniqueids=yes (default), this will lead to the bug in
https://wiki.strongswan.org/issues/431 ?

Is my understanding right? Is A->B tunnel different from B->A?

Could someone please give some pointers to help me understand this.


Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170503/036701da/attachment.html>

More information about the Users mailing list