[strongSwan] Multiple IKE SA between same pair of address

Jun Hu hujun.work at gmail.com
Sat Jan 6 01:15:26 CET 2018 

Hi,
Does strongswan support multiple IKE SA (each with its own CHILD_SA)
between single pair of address?
it seems strongswan only allow one IKE SA per pair of address

I am using strongswan 5.5.0, inter-op with a IKEv2 client that I wrote (for
learning purpose) , my client is the tunnel initiator, when I only creates
one IKE SA (along with one CHILD_SA), everything is good;
but when my client try to create 2nd CHILD_SA (using IKE_SA_INIT and
IKE_AUTH exchange, not rekey) using same addresses,the 2nd IKE and CHILD SA
were created successfully at the beginning, but after a few seconds,
strongswan send a delete msg to delete the 1st IKE_SA

I also tried to set charon.reuse_ikesa to no, but same result

I checked strongswan logs, it doesn't say why it deletes 1st IKE SA:
root at vm-svr:/usr/local/etc# ipsec status
Security Associations (2 up, 0 connecting):
         l2l[2]: ESTABLISHED 9 seconds ago,
10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
         l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i
3f174706_o
         l2l{2}:   10.10.10.1/32 === 1.1.1.2/32
         l2l[1]: ESTABLISHED 19 seconds ago,
10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
         l2l{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5a49fd_i
617a4971_o
         l2l{1}:   10.10.10.1/32 === 1.1.1.1/32
root at vm-svr:/usr/local/etc# ipsec status
Security Associations (1 up, 0 connecting):
         l2l[2]: ESTABLISHED 10 seconds ago,
10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
         l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i
3f174706_o
         l2l{2}:   10.10.10.1/32 === 1.1.1.2/32



part of the log:
.....
Jan  5 15:50:21 06[MGR] <l2l|2> checkout IKEv2 SA with SPIs
2c79130e38a24598_i c530ad0d0f1a47f0_r
Jan  5 15:50:21 06[MGR] <l2l|2> IKE_SA l2l[1] successfully checked out
Jan  5 15:50:21 06[MGR] <l2l|1> checkin IKE_SA l2l[1]
Jan  5 15:50:21 06[MGR] <l2l|1> checkin of IKE_SA successful
Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] established between
10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] state change: CONNECTING =>
ESTABLISHED
Jan  5 15:50:21 06[IKE] <l2l|2> scheduling rekeying in 490s
Jan  5 15:50:21 06[IKE] <l2l|2> maximum IKE_SA lifetime 500s
Jan  5 15:50:21 06[KNL] <l2l|2> got SPI c1aab5fc
Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI c1aab5fc and
reqid {2}
Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm AES_CBC with
key size 128
Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm HMAC_SHA1_96
with key size 160
Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 32 packets
Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI 3f174706 and
reqid {2}
Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm AES_CBC with
key size 128
Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm HMAC_SHA1_96
with key size 160
Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 0 packets
Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 === 1.1.1.2/32
out [priority 383616, refcount 1]
Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 === 10.10.10.1/32
in [priority 383616, refcount 1]
Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 === 10.10.10.1/32
fwd [priority 383616, refcount 1]
Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 === 1.1.1.2/32
fwd [priority 383616, refcount 1]
Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 === 1.1.1.2/32 out
already exists, increasing refcount
Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 === 1.1.1.2/32
out [priority 183616, refcount 2]
Jan  5 15:50:21 06[KNL] <l2l|2> getting a local address in traffic selector
10.10.10.1/32
Jan  5 15:50:21 06[KNL] <l2l|2> using host 10.10.10.1
Jan  5 15:50:21 06[KNL] <l2l|2> getting iface name for index 4
Jan  5 15:50:21 06[KNL] <l2l|2> using 10.10.10.20 as nexthop and eth2 as
dev to reach 10.10.10.20/32
Jan  5 15:50:21 06[KNL] <l2l|2> installing route: 1.1.1.2/32 via
10.10.10.20 src 10.10.10.1 dev eth2
Jan  5 15:50:21 06[KNL] <l2l|2> getting iface index for eth2
Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 === 10.10.10.1/32 in
already exists, increasing refcount
Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 === 10.10.10.1/32
in [priority 183616, refcount 2]
Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 === 10.10.10.1/32 fwd
already exists, increasing refcount
Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 === 10.10.10.1/32
fwd [priority 183616, refcount 2]
Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 === 1.1.1.2/32 fwd
already exists, increasing refcount
Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 === 1.1.1.2/32
fwd [priority 283616, refcount 2]
Jan  5 15:50:21 06[IKE] <l2l|2> CHILD_SA l2l{2} established with SPIs
c1aab5fc_i 3f174706_o and TS 10.10.10.1/32 === 1.1.1.2/32
Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI c1aab5fc
Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI 3f174706
Jan  5 15:50:21 06[KNL] <l2l|2> 10.10.10.1 is on interface eth2
Jan  5 15:50:21 06[ENC] <l2l|2> generating IKE_AUTH response 1 [ IDr AUTH
SA TSi TSr ]
Jan  5 15:50:21 06[NET] <l2l|2> sending packet: from 10.10.10.1[500] to
10.10.10.20[500] (204 bytes)
Jan  5 15:50:21 06[MGR] <l2l|2> checkin IKE_SA l2l[2]
Jan  5 15:50:21 06[MGR] <l2l|2> checkin of IKE_SA successful
Jan  5 15:50:31 05[MGR] checkout IKEv2 SA with SPIs 2c79130e38a24598_i
c530ad0d0f1a47f0_r
Jan  5 15:50:31 05[MGR] IKE_SA l2l[1] successfully checked out
Jan  5 15:50:31 05[IKE] <l2l|1> queueing IKE_DELETE task
Jan  5 15:50:31 05[IKE] <l2l|1> activating new tasks
Jan  5 15:50:31 05[IKE] <l2l|1>   activating IKE_DELETE task
Jan  5 15:50:31 05[IKE] <l2l|1> deleting IKE_SA l2l[1] between
10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
Jan  5 15:50:31 05[IKE] <l2l|1> IKE_SA l2l[1] state change: ESTABLISHED =>
DELETING
Jan  5 15:50:31 05[IKE] <l2l|1> sending DELETE for IKE_SA l2l[1]
Jan  5 15:50:31 05[ENC] <l2l|1> generating INFORMATIONAL request 0 [ D ]
Jan  5 15:50:31 05[NET] <l2l|1> sending packet: from 10.10.10.1[500] to
10.10.10.20[500] (76 bytes)
Jan  5 15:50:31 05[MGR] <l2l|1> checkin IKE_SA l2l[1]
Jan  5 15:50:31 05[MGR] <l2l|1> checkin of IKE_SA successful
Jan  5 15:50:31 13[MGR] checkout IKEv2 SA by message with SPIs
2c79130e38a24598_i c530ad0d0f1a47f0_r
Jan  5 15:50:31 13[MGR] IKE_SA l2l[1] successfully checked out

===ipsec.conf===
conn %default
        keyexchange=ikev2
        mobike = no
        reauth=no

conn l2l
ikelifetime=500s
margintime=10s
rekeyfuzz=0%
ike=aes128-sha1-modp2048!
esp=aes128-sha1
authby=psk
        leftfirewall=yes
rightsubnet=1.0.0.0/8
        auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180105/bbd7971a/attachment-0001.html>

More information about the Users mailing list