[strongSwan] "%d" of initiator_id of load-tester does not start from 1 but 2.

李 冠群 pluto851031 at hotmail.com
Tue Feb 27 08:39:25 CET 2018


Hi all,

I am facing a problem of load-tester that "%d" of initiator_id didnot start from 1, but from 2.

--------
initiator_id = tester%d at strongswan.org
--------

Below are the configuration of load-tester and the status of the ipsec tunnels.
From the "ipsec statuall" you can find that initiator id started from "tester2 at strongswan.org",
and the private address also started from "10.254.32.2/32".

I suspect that any internal behavior has used "tester1 at strongswan.org",
or any configuration caused the initiator_id started from "2".

Can anyone give me some advice ?
Any comment will be appreciated.
If further info is needed, please let me know.

------------- configuration ------------
root at tester1:/usr/local/etc# cat strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
        reuse_ikesa=yes
        load_modular=yes

        plugins {
                include strongswan.d/charon/*.conf
        load-tester {

            enable = yes
            responder = 192.168.0.6
            proposal = aes128-sha1-modp1024
            initiator_id = tester%d at strongswan.org
            initiator_match = *@strongswan.org
            initiator_auth = eap-aka
            responder_auth = psk
            responder_id = strongswan.org
            initiator_tsr = 10.65.0.0/18
            esp = aes128-sha1
            addrs { ens4 = 10.64.0.1/18 }
            addrs_prefix = 16
            request_virtual_ip = yes
            ike_rekey = 25200
            child_rekey = 28800
            delete_after_established = no
            shutdown_when_complete = no
        }
        }

---------------------------------------

root at tester1:/usr/local/etc#ipsec statusall

Listening IP addresses:
  10.59.128.33
  10.64.127.253
Connections:
   load-test:  192.168.0.6...0.0.0.0  IKEv1/2
   load-test:   local:  [strongswan.org] uses pre-shared key authentication
   load-test:   remote: [*@strongswan.org] uses EAP_AKA authentication
   load-test:   child:  10.65.0.0/18 === dynamic TUNNEL
Security Associations (5 up, 0 connecting):
   load-test[5]: ESTABLISHED 6 seconds ago, 10.64.0.5[tester6 at strongswan.org]...192.168.0.6[strongswan.org]
   load-test[5]: IKEv2 SPIs: 66a396f7c9e152c1_i* e1200a4eb1b5f253_r, rekeying in 6 hours
   load-test[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   load-test{6}:  INSTALLED, TUNNEL, reqid 5, ESP SPIs: c5ef7bad_i 0015790e_o
   load-test{6}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
   load-test{6}:   10.254.32.6/32 === 10.65.0.0/18
   load-test[4]: ESTABLISHED 10 seconds ago, 10.64.0.4[tester5 at strongswan.org]...192.168.0.6[strongswan.org]
   load-test[4]: IKEv2 SPIs: 15455d79dbc1b476_i* cb3974e5683d2f37_r, rekeying in 6 hours
   load-test[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   load-test{4}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: c31265b7_i 001353b9_o
   load-test{4}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
   load-test{4}:   10.254.32.5/32 === 10.65.0.0/18
   load-test[3]: ESTABLISHED 13 seconds ago, 10.64.0.3[tester4 at strongswan.org]...192.168.0.6[strongswan.org]
   load-test[3]: IKEv2 SPIs: bbfa251802593dc9_i* 84935f6a6411adf6_r, rekeying in 6 hours
   load-test[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   load-test{3}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c1625dab_i 00132117_o
   load-test{3}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
   load-test{3}:   10.254.32.4/32 === 10.65.0.0/18
   load-test[2]: ESTABLISHED 16 seconds ago, 10.64.0.2[tester3 at strongswan.org]...192.168.0.6[strongswan.org]
   load-test[2]: IKEv2 SPIs: ca01109e85be6828_i* 2ea11c57bd317fe2_r, rekeying in 6 hours
   load-test[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   load-test{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c003619c_i 001423af_o
   load-test{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
   load-test{2}:   10.254.32.3/32 === 10.65.0.0/18
   load-test[1]: ESTABLISHED 19 seconds ago, 10.64.0.1[tester2 at strongswan.org]...192.168.0.6[strongswan.org]
   load-test[1]: IKEv2 SPIs: 208894470b3f7123_i* 2b2b934095b76978_r, rekeying in 6 hours
   load-test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   load-test{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c5900c71_i 001457a4_o
   load-test{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
   load-test{1}:   10.254.32.2/32 === 10.65.0.0/18

root at tester1:/usr/local/etc#

---------------------------------------

Regards,
Pluto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180227/f08d106d/attachment.html>


More information about the Users mailing list