[strongSwan] Multiple Child_SAs - only one loaded at tunnel setup ?
Sarefrech
sarefrech at wanadoo.fr
Tue Sep 5 11:52:52 CEST 2017
Hi,
Sure. I now use "Linux strongSwan U5.6.0/K3.16.0-4-amd64", but the issue is still here.
Please find attached the following files : ipsec.conf, charon_debug.childsa_issue.log & the connexion configuration used via VICI.
Tell me if you need anything more. In the mean time, I'll dig a bit more into these files.
thanks,
Régis
-----------------
Hi,
Please provide your configuration and a log of the connection as described on the HelpRequests page[1] . There are multiple reasons this
problem can occur.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 04.09.2017 14:39, Sarefrech wrote:
>
> Hi all,
>
>
>
> I used "Linux strongSwan U5.5.3/K3.16.0-4-amd64".
>
>
>
> I have two connexion definitions with 2 child SAs each. The first one come from ipsec.conf , the second is created via VICI:
>
> root at ipsec-gw:/usr/local/src# swanctl --list-conns
> *default_cert1*: IKEv2, reauthentication every 3420s, no rekeying
> local: %any
> remote: %any
> local public key authentication:
> id: u2agw.u2a.xyz
> remote public key authentication:
> *default_cert1*: TUNNEL, rekeying every 1020s
> local: 10.11.0.0/16
> remote: dynamic
> *default_cert*: TUNNEL, rekeying every 1020s
> local: 10.10.0.0/16
> remote: dynamic
> *defautVici*: IKEv2, no reauthentication, no rekeying
> local: 161.106.240.155
> remote: %any
> local public key authentication:
> id: u2agw.u2a.xyz
> remote EAP_RADIUS authentication:
> eap_id: %any
> *child1*: TUNNEL, rekeying every 100s
> local: 1.1.1.1/32 10.0.0.0/8
> remote: dynamic
> *child2*: TUNNEL, rekeying every 100s
> local: 2.2.2.5/32
> remote: dynamic
>
> I setup tunnels and I observe that there is only one child ca for each connexion : one is not missing.
>
> root at ipsec-gw:/usr/local/src# swanctl --list-sas
> *default_cert1*: #6, ESTABLISHED, IKEv2, 9ced70a70cbacaea_i 394dc6781ed773a6_r*
> local 'u2agw.u2a.xyz' @ 161.106.240.155[4500]
> remote 'CN=max.min, OU=u2aUsers, DC=u2a, DC=xyz' @ 161.106.240.156[47841] [10.11.12.162]
> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
> established 6s ago, reauth in 3336s
> *default_cert1*: #5, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
> installed 5s ago, rekeying in 889s, expires in 1195s
> in c3d7921a, 336 bytes, 4 packets, 0s ago
> out e7757320, 336 bytes, 4 packets, 0s ago
> local 10.11.0.0/16
> remote 10.11.12.162/32
> *defautVici*: #4, ESTABLISHED, IKEv2, 927ad63611b5b535_i f7a4b615d62bfcd6_r*
> local 'u2agw.u2a.xyz' @ 161.106.240.155[4500]
> remote 'joe.bar' @ 161.106.240.156[42859] [10.11.12.151]
> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
> established 11s ago
> *child1*: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
> installed 10s ago, rekeying in 80s, expires in 100s
> in c53f5289, 0 bytes, 0 packets
> out d0249916, 0 bytes, 0 packets
> local 1.1.1.1/32 10.0.0.0/8
> remote 10.11.12.151/32
>
> From the documentation & mail exchanges on the list, I understand that strongswan GW is supposed to handle multiple child sas.
>
> Do I miss something or this could be a kind of bug in last versions?
>
>
>
> thanks,
>
>
> Régis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon_debug.childsa_issue.log
Type: application/octet-stream
Size: 56815 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config-vici.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/d168d091/attachment-0003.txt>
More information about the Users
mailing list