[strongSwan] Multiple Child_SAs - only one loaded at tunnel setup ?

Sarefrech sarefrech at wanadoo.fr
Tue Sep 5 11:52:52 CEST 2017


Hi,

 

Sure. I now use "Linux strongSwan U5.6.0/K3.16.0-4-amd64", but the issue is still here.

 

Please find attached the following files : ipsec.conf, charon_debug.childsa_issue.log  & the connexion configuration used via VICI.

 

Tell me if you need anything more. In the mean time, I'll dig a bit more into these files.

 

thanks,

 

Régis

 

-----------------

Hi,

Please provide your configuration and a log of the connection as described on the HelpRequests page[1] . There are multiple reasons this
problem can occur.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 04.09.2017 14:39, Sarefrech wrote:
>
> Hi all,
>
>  
>
> I used  "Linux strongSwan U5.5.3/K3.16.0-4-amd64".
>
>  
>
> I have two connexion definitions with 2 child SAs each. The first one come from ipsec.conf , the second is created via VICI:
>
> root at ipsec-gw:/usr/local/src# swanctl --list-conns
> *default_cert1*: IKEv2, reauthentication every 3420s, no rekeying
>   local:  %any
>   remote: %any
>   local public key authentication:
>     id: u2agw.u2a.xyz
>   remote public key authentication:
>   *default_cert1*: TUNNEL, rekeying every 1020s
>     local:  10.11.0.0/16
>     remote: dynamic
>   *default_cert*: TUNNEL, rekeying every 1020s
>     local:  10.10.0.0/16
>     remote: dynamic
> *defautVici*: IKEv2, no reauthentication, no rekeying
>   local:  161.106.240.155
>   remote: %any
>   local public key authentication:
>     id: u2agw.u2a.xyz
>   remote EAP_RADIUS authentication:
>     eap_id: %any
>   *child1*: TUNNEL, rekeying every 100s
>     local:  1.1.1.1/32 10.0.0.0/8
>     remote: dynamic
>   *child2*: TUNNEL, rekeying every 100s
>     local:  2.2.2.5/32
>     remote: dynamic
>
> I setup tunnels and I observe that there is only one child ca for each connexion : one is not missing.
>
> root at ipsec-gw:/usr/local/src# swanctl --list-sas
> *default_cert1*: #6, ESTABLISHED, IKEv2, 9ced70a70cbacaea_i 394dc6781ed773a6_r*
>   local  'u2agw.u2a.xyz' @ 161.106.240.155[4500]
>   remote 'CN=max.min, OU=u2aUsers, DC=u2a, DC=xyz' @ 161.106.240.156[47841] [10.11.12.162]
>   AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
>   established 6s ago, reauth in 3336s
>   *default_cert1*: #5, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
>     installed 5s ago, rekeying in 889s, expires in 1195s
>     in  c3d7921a,    336 bytes,     4 packets,     0s ago
>     out e7757320,    336 bytes,     4 packets,     0s ago
>     local  10.11.0.0/16
>     remote 10.11.12.162/32
> *defautVici*: #4, ESTABLISHED, IKEv2, 927ad63611b5b535_i f7a4b615d62bfcd6_r*
>   local  'u2agw.u2a.xyz' @ 161.106.240.155[4500]
>   remote 'joe.bar' @ 161.106.240.156[42859] [10.11.12.151]
>   AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
>   established 11s ago
>   *child1*: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
>     installed 10s ago, rekeying in 80s, expires in 100s
>     in  c53f5289,      0 bytes,     0 packets
>     out d0249916,      0 bytes,     0 packets
>     local  1.1.1.1/32 10.0.0.0/8
>     remote 10.11.12.151/32
>
> From the documentation & mail exchanges on the list, I understand that strongswan GW is supposed to handle multiple child sas.
>
> Do I miss something or this could be a kind of bug in last versions?
>
>  
>
> thanks,
>
>
> Régis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon_debug.childsa_issue.log
Type: application/octet-stream
Size: 56815 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config-vici.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0003.txt>


More information about the Users mailing list