[strongSwan] duplicate IPSec SAs

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jan 3 23:09:42 CET 2018


Hi,

Please provide the output of `ipsec statusall` and logs that show the issue.

Kind regards

Noel

On 02.01.2018 16:36, Jeff wrote:
> My ikev2 VPNs are accumulating duplicate IPSec SAs.
>
> Here are some of my high level requirements:
> * "star" architecture: single central responder, multiple initiators.
> * Initiators may have dynamic or NAT'ed IPs.
> * Exactly one VPN between responder and each initiator.
> * Each VPN is "always up" to allow access from responder to any
> initiator at any time.
> * Periodic IKEv2 reauthentication is required to enforce X.509 CRLs.
> * Small outages during rekey, reauth are permissible.
>
> My config:
> responder: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM. Config attached.
> initiators: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM.
> Config attached.
>
> The issue: As time passes, I see multiple IPsec SAs accumulate between
> responder and some initiators.
>
> Question: How to configure for exactly one VPN between responder and
> each initiator?
>
> I suspect that adding a combination of
> connections.<conn>.unique
>     and
> charon.make_before_break
>
> settings will fix my issue. Currently I am using the default values for each.
>
> Advice on a config change to fix duplicate IPSec SAs is requested.
>
>
> thanks,
> Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180103/f381cf8d/attachment.sig>


More information about the Users mailing list