[strongSwan] Multiple IKE SA between same pair of address

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Jan 15 18:35:18 CET 2018 

Hi

Actually it works when using PSK,  without setting "uniqueids=no"..it could
continue to be the default ."uniqueids=yes" which is implicit..becos you
need each tunnel to have unique-ids for separation

I agree with Certificates you will need to set "uniqueids=no"...and use the
same set of certs for each tunnel..

So say you have a setup as below:

(multiple-subnets)-----(Lan)[GW1](Wan)====(Wan)[GW2](Lan)-----(multiple-subnets)

Note: Its imperative and must that you define the default-gw-ipaddress (as
the remote-gw wanipaddr) on each of the GW1 and GW2...eventhough they maybe
connected back-to-back and they maybe having ipaddresses in same subnet...


In my case i configured a 1000-tunnels (1 tunnel = 1 IKE-SA pair, 2
IPsec-SA pairs), between GW1 and GW2 using the same single wanipaddress

I did it successfully by ensuring that each connection-entry in the
ipsec.conf file has a unique-set of left/right-IDs and therefore a
corresponding set of PSK in the ipsec.secrets file

I also successfully sent continuous traffic thru each of the 1000 tunnels
(infact i triggered the tunnels to get established by sending traffic
hitting each of the ipsec policies...) using tools like
spirentTC/ixia....start by sending about 100KB of traffic for each of the
subnet-pairs...and once all the tunnels are established..you may increase
the traffic load as per your setup requirements

Please find attached the sample config files for both GW1 and GW2 for the
1000-tunnels (please rename the files to ipsec.conf/ipsec.secrets on the
respective GWs)

Hope this helps

thanks & regards
Rajiv


On Thu, Jan 11, 2018 at 5:26 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hi,
>
> Set uniqueids = no in config setup.
> Better, use swanctl.conf with swanctl. There, you can set it per conn and
> not globally.
>
> Kind regards
>
> Noel
>
> On 06.01.2018 01:15, Jun Hu wrote:
> > Hi,
> > Does strongswan support multiple IKE SA (each with its own CHILD_SA)
> between single pair of address?
> > it seems strongswan only allow one IKE SA per pair of address
> >
> > I am using strongswan 5.5.0, inter-op with a IKEv2 client that I wrote
> (for learning purpose) , my client is the tunnel initiator, when I only
> creates one IKE SA (along with one CHILD_SA), everything is good;
> > but when my client try to create 2nd CHILD_SA (using IKE_SA_INIT and
> IKE_AUTH exchange, not rekey) using same addresses,the 2nd IKE and CHILD SA
> were created successfully at the beginning, but after a few seconds,
> strongswan send a delete msg to delete the 1st IKE_SA
> >
> > I also tried to set charon.reuse_ikesa to no, but same result
> >
> > I checked strongswan logs, it doesn't say why it deletes 1st IKE SA:
> > root at vm-svr:/usr/local/etc# ipsec status
> > Security Associations (2 up, 0 connecting):
> >          l2l[2]: ESTABLISHED 9 seconds ago, 10.10.10.1[10.10.10.1]...10.
> 10.10.20[1.1.1.1]
> >          l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i
> 3f174706_o
> >          l2l{2}:   10.10.10.1/32 <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32>
> >          l2l[1]: ESTABLISHED 19 seconds ago, 10.10.10.1[10.10.10.1]...10.
> 10.10.20[1.1.1.1]
> >          l2l{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5a49fd_i
> 617a4971_o
> >          l2l{1}:   10.10.10.1/32 <http://10.10.10.1/32> === 1.1.1.1/32 <
> http://1.1.1.1/32>
> > root at vm-svr:/usr/local/etc# ipsec status
> > Security Associations (1 up, 0 connecting):
> >          l2l[2]: ESTABLISHED 10 seconds ago, 10.10.10.1[10.10.10.1]...10.
> 10.10.20[1.1.1.1]
> >          l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i
> 3f174706_o
> >          l2l{2}:   10.10.10.1/32 <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32>
> >
> >
> >
> > part of the log:
> > .....
> > Jan  5 15:50:21 06[MGR] <l2l|2> checkout IKEv2 SA with SPIs
> 2c79130e38a24598_i c530ad0d0f1a47f0_r
> > Jan  5 15:50:21 06[MGR] <l2l|2> IKE_SA l2l[1] successfully checked out
> > Jan  5 15:50:21 06[MGR] <l2l|1> checkin IKE_SA l2l[1]
> > Jan  5 15:50:21 06[MGR] <l2l|1> checkin of IKE_SA successful
> > Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] established between
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> > Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] state change: CONNECTING
> => ESTABLISHED
> > Jan  5 15:50:21 06[IKE] <l2l|2> scheduling rekeying in 490s
> > Jan  5 15:50:21 06[IKE] <l2l|2> maximum IKE_SA lifetime 500s
> > Jan  5 15:50:21 06[KNL] <l2l|2> got SPI c1aab5fc
> > Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI c1aab5fc and
> reqid {2}
> > Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm AES_CBC
> with key size 128
> > Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm HMAC_SHA1_96
> with key size 160
> > Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 32 packets
> > Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI 3f174706 and
> reqid {2}
> > Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm AES_CBC
> with key size 128
> > Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm HMAC_SHA1_96
> with key size 160
> > Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 0 packets
> > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> out [priority
> 383616, refcount 1]
> > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 <
> http://1.1.1.2/32> === 10.10.10.1/32 <http://10.10.10.1/32> in [priority
> 383616, refcount 1]
> > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 <
> http://1.1.1.2/32> === 10.10.10.1/32 <http://10.10.10.1/32> fwd [priority
> 383616, refcount 1]
> > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> fwd [priority
> 383616, refcount 1]
> > Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> out already
> exists, increasing refcount
> > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> out [priority
> 183616, refcount 2]
> > Jan  5 15:50:21 06[KNL] <l2l|2> getting a local address in traffic
> selector 10.10.10.1/32 <http://10.10.10.1/32>
> > Jan  5 15:50:21 06[KNL] <l2l|2> using host 10.10.10.1
> > Jan  5 15:50:21 06[KNL] <l2l|2> getting iface name for index 4
> > Jan  5 15:50:21 06[KNL] <l2l|2> using 10.10.10.20 as nexthop and eth2 as
> dev to reach 10.10.10.20/32 <http://10.10.10.20/32>
> > Jan  5 15:50:21 06[KNL] <l2l|2> installing route: 1.1.1.2/32 <
> http://1.1.1.2/32> via 10.10.10.20 src 10.10.10.1 dev eth2
> > Jan  5 15:50:21 06[KNL] <l2l|2> getting iface index for eth2
> > Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 <http://1.1.1.2/32>
> === 10.10.10.1/32 <http://10.10.10.1/32> in already exists, increasing
> refcount
> > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 <
> http://1.1.1.2/32> === 10.10.10.1/32 <http://10.10.10.1/32> in [priority
> 183616, refcount 2]
> > Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 <http://1.1.1.2/32>
> === 10.10.10.1/32 <http://10.10.10.1/32> fwd already exists, increasing
> refcount
> > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 <
> http://1.1.1.2/32> === 10.10.10.1/32 <http://10.10.10.1/32> fwd [priority
> 183616, refcount 2]
> > Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> fwd already
> exists, increasing refcount
> > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> fwd [priority
> 283616, refcount 2]
> > Jan  5 15:50:21 06[IKE] <l2l|2> CHILD_SA l2l{2} established with SPIs
> c1aab5fc_i 3f174706_o and TS 10.10.10.1/32 <http://10.10.10.1/32> ===
> 1.1.1.2/32 <http://1.1.1.2/32>
> > Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI c1aab5fc
> > Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI 3f174706
> > Jan  5 15:50:21 06[KNL] <l2l|2> 10.10.10.1 is on interface eth2
> > Jan  5 15:50:21 06[ENC] <l2l|2> generating IKE_AUTH response 1 [ IDr
> AUTH SA TSi TSr ]
> > Jan  5 15:50:21 06[NET] <l2l|2> sending packet: from 10.10.10.1[500] to
> 10.10.10.20[500] (204 bytes)
> > Jan  5 15:50:21 06[MGR] <l2l|2> checkin IKE_SA l2l[2]
> > Jan  5 15:50:21 06[MGR] <l2l|2> checkin of IKE_SA successful
> > Jan  5 15:50:31 05[MGR] checkout IKEv2 SA with SPIs 2c79130e38a24598_i
> c530ad0d0f1a47f0_r
> > Jan  5 15:50:31 05[MGR] IKE_SA l2l[1] successfully checked out
> > Jan  5 15:50:31 05[IKE] <l2l|1> queueing IKE_DELETE task
> > Jan  5 15:50:31 05[IKE] <l2l|1> activating new tasks
> > Jan  5 15:50:31 05[IKE] <l2l|1>   activating IKE_DELETE task
> > Jan  5 15:50:31 05[IKE] <l2l|1> deleting IKE_SA l2l[1] between
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> > Jan  5 15:50:31 05[IKE] <l2l|1> IKE_SA l2l[1] state change: ESTABLISHED
> => DELETING
> > Jan  5 15:50:31 05[IKE] <l2l|1> sending DELETE for IKE_SA l2l[1]
> > Jan  5 15:50:31 05[ENC] <l2l|1> generating INFORMATIONAL request 0 [ D ]
> > Jan  5 15:50:31 05[NET] <l2l|1> sending packet: from 10.10.10.1[500] to
> 10.10.10.20[500] (76 bytes)
> > Jan  5 15:50:31 05[MGR] <l2l|1> checkin IKE_SA l2l[1]
> > Jan  5 15:50:31 05[MGR] <l2l|1> checkin of IKE_SA successful
> > Jan  5 15:50:31 13[MGR] checkout IKEv2 SA by message with SPIs
> 2c79130e38a24598_i c530ad0d0f1a47f0_r
> > Jan  5 15:50:31 13[MGR] IKE_SA l2l[1] successfully checked out
> >
> > ===ipsec.conf===
> > conn %default
> >         keyexchange=ikev2
> >         mobike = no
> >         reauth=no
> >
> > conn l2l
> > ikelifetime=500s
> > margintime=10s
> > rekeyfuzz=0%
> > ike=aes128-sha1-modp2048!
> > esp=aes128-sha1
> > authby=psk
> >         leftfirewall=yes
> > rightsubnet=1.0.0.0/8 <http://1.0.0.0/8>
> >         auto=add
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180115/b6ee485e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsecgw1.conf
Type: application/octet-stream
Size: 136767 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180115/b6ee485e/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsecgw1.secrets
Type: application/octet-stream
Size: 41256 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180115/b6ee485e/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsecgw2.conf
Type: application/octet-stream
Size: 136767 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180115/b6ee485e/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsecgw2.secrets
Type: application/octet-stream
Size: 41218 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180115/b6ee485e/attachment-0007.obj>

More information about the Users mailing list