[strongSwan] Multiple IKE SA between same pair of address

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Wed Jan 17 18:42:08 CET 2018


Hello Noel

Yes i agree, ideally and in production/live deployments of the
IPSec-Gateways, we will need to use different/unique certificates for each
tunnel that is established. But when you want to validate your
IPSec-Gateway for multiple concurrent tunnels..say 1000
IKEv1/IKEv2-IPsec-tunnels.... and if you have to use certs for the
IKE-auth, then it becomes very cumbersome to create 1000 certs (with
different IDs, preferably certs with different subjectAltNames, etc)....so
i generally test with 1 device-cert on each GW and set unique-ids=no and
bring up all those tunnels as required

>>>Why do you want that many IKE_SAs? For throughput testing, you only need
many CHILD_SAs
You are right. We will use only IPsec-SAs/Child_SAs for thruput tests...But
iam configuring with multiple IKE-SAs too for testing the Tunnels Capacity
that the DUT (running Strongswan) can sustain (just as with using
loadtester-plugin method...but here i get to tranfer continuous traffic too
via each of the tunnels established)

And also to run some tests to ascertain  "tunnels/second", etc.

Also if you have to get your platforms/DUT IPsec-Certified (by the Ipsec
labs, etc)...as per their formula/standard..1 Ipsec tunnel = 1
IKE-SA-Pair+1 Child_SA-Pair

thank you so much

regards
Rajiv

On Tue, Jan 16, 2018 at 11:28 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hi,
>
> > I agree with Certificates you will need to set "uniqueids=no"...and use
> the same set of certs for each tunnel..
>
> No, just use different certificates and different IDs. It's not any
> different with PSKs, for example.
> I already did that by scripting with python.
>
> Why do you want that many IKE_SAs? For throughput testing, you only need
> many CHILD_SAs.
>
> Kind regards
>
> Noel
>
> On 15.01.2018 18:35, Rajiv Kulkarni wrote:
> > Hi
> >
> > Actually it works when using PSK,  without setting "uniqueids=no"..it
> could continue to be the default ."uniqueids=yes" which is implicit..becos
> you need each tunnel to have unique-ids for separation
> >
> > I agree with Certificates you will need to set "uniqueids=no"...and use
> the same set of certs for each tunnel..
> >
> > So say you have a setup as below:
> >
> > (multiple-subnets)-----(Lan)[GW1](Wan)====(Wan)[GW2](Lan)--
> ---(multiple-subnets)
> >
> > Note: Its imperative and must that you define the default-gw-ipaddress
> (as the remote-gw wanipaddr) on each of the GW1 and GW2...eventhough they
> maybe connected back-to-back and they maybe having ipaddresses in same
> subnet...
> >
> >
> > In my case i configured a 1000-tunnels (1 tunnel = 1 IKE-SA pair, 2
> IPsec-SA pairs), between GW1 and GW2 using the same single wanipaddress
> >
> > I did it successfully by ensuring that each connection-entry in the
> ipsec.conf file has a unique-set of left/right-IDs and therefore a
> corresponding set of PSK in the ipsec.secrets file
> >
> > I also successfully sent continuous traffic thru each of the 1000
> tunnels (infact i triggered the tunnels to get established by sending
> traffic hitting each of the ipsec policies...) using tools like
> spirentTC/ixia....start by sending about 100KB of traffic for each of the
> subnet-pairs...and once all the tunnels are established..you may increase
> the traffic load as per your setup requirements
> >
> > Please find attached the sample config files for both GW1 and GW2 for
> the 1000-tunnels (please rename the files to ipsec.conf/ipsec.secrets on
> the respective GWs)
> >
> > Hope this helps
> >
> > thanks & regards
> > Rajiv
> >
> >
> > On Thu, Jan 11, 2018 at 5:26 PM, Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+
> strongswan-users-ml at thermi.consulting>> wrote:
> >
> >     Hi,
> >
> >     Set uniqueids = no in config setup.
> >     Better, use swanctl.conf with swanctl. There, you can set it per
> conn and not globally.
> >
> >     Kind regards
> >
> >     Noel
> >
> >     On 06.01.2018 01:15, Jun Hu wrote:
> >     > Hi,
> >     > Does strongswan support multiple IKE SA (each with its own
> CHILD_SA) between single pair of address?
> >     > it seems strongswan only allow one IKE SA per pair of address
> >     >
> >     > I am using strongswan 5.5.0, inter-op with a IKEv2 client that I
> wrote (for learning purpose) , my client is the tunnel initiator, when I
> only creates one IKE SA (along with one CHILD_SA), everything is good;
> >     > but when my client try to create 2nd CHILD_SA (using IKE_SA_INIT
> and IKE_AUTH exchange, not rekey) using same addresses,the 2nd IKE and
> CHILD SA were created successfully at the beginning, but after a few
> seconds, strongswan send a delete msg to delete the 1st IKE_SA
> >     >
> >     > I also tried to set charon.reuse_ikesa to no, but same result
> >     >
> >     > I checked strongswan logs, it doesn't say why it deletes 1st IKE
> SA:
> >     > root at vm-svr:/usr/local/etc# ipsec status
> >     > Security Associations (2 up, 0 connecting):
> >     >          l2l[2]: ESTABLISHED 9 seconds ago,
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> >     >          l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i
> 3f174706_o
> >     >          l2l{2}:   10.10.10.1/32 <http://10.10.10.1/32> <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> <
> http://1.1.1.2/32>
> >     >          l2l[1]: ESTABLISHED 19 seconds ago,
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> >     >          l2l{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5a49fd_i
> 617a4971_o
> >     >          l2l{1}:   10.10.10.1/32 <http://10.10.10.1/32> <
> http://10.10.10.1/32> === 1.1.1.1/32 <http://1.1.1.1/32> <
> http://1.1.1.1/32>
> >     > root at vm-svr:/usr/local/etc# ipsec status
> >     > Security Associations (1 up, 0 connecting):
> >     >          l2l[2]: ESTABLISHED 10 seconds ago,
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> >     >          l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i
> 3f174706_o
> >     >          l2l{2}:   10.10.10.1/32 <http://10.10.10.1/32> <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> <
> http://1.1.1.2/32>
> >     >
> >     >
> >     >
> >     > part of the log:
> >     > .....
> >     > Jan  5 15:50:21 06[MGR] <l2l|2> checkout IKEv2 SA with SPIs
> 2c79130e38a24598_i c530ad0d0f1a47f0_r
> >     > Jan  5 15:50:21 06[MGR] <l2l|2> IKE_SA l2l[1] successfully checked
> out
> >     > Jan  5 15:50:21 06[MGR] <l2l|1> checkin IKE_SA l2l[1]
> >     > Jan  5 15:50:21 06[MGR] <l2l|1> checkin of IKE_SA successful
> >     > Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] established between
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> >     > Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] state change:
> CONNECTING => ESTABLISHED
> >     > Jan  5 15:50:21 06[IKE] <l2l|2> scheduling rekeying in 490s
> >     > Jan  5 15:50:21 06[IKE] <l2l|2> maximum IKE_SA lifetime 500s
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> got SPI c1aab5fc
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI c1aab5fc
> and reqid {2}
> >     > Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm
> AES_CBC with key size 128
> >     > Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> >     > Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 32 packets
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI 3f174706
> and reqid {2}
> >     > Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm
> AES_CBC with key size 128
> >     > Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> >     > Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 0 packets
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> out [priority 383616, refcount 1]
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> in [priority 383616,
> refcount 1]
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> fwd [priority 383616,
> refcount 1]
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> fwd [priority 383616, refcount 1]
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> out already exists, increasing
> refcount
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> out [priority 183616, refcount 2]
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> getting a local address in traffic
> selector 10.10.10.1/32 <http://10.10.10.1/32> <http://10.10.10.1/32>
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> using host 10.10.10.1
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> getting iface name for index 4
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> using 10.10.10.20 as nexthop and
> eth2 as dev to reach 10.10.10.20/32 <http://10.10.10.20/32> <
> http://10.10.10.20/32>
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> installing route: 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> via 10.10.10.20 src 10.10.10.1 dev
> eth2
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> getting iface index for eth2
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> in already exists,
> increasing refcount
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> in [priority 183616,
> refcount 2]
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> fwd already exists,
> increasing refcount
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> fwd [priority 183616,
> refcount 2]
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> fwd already exists, increasing
> refcount
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 <
> http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 <
> http://1.1.1.2/32> <http://1.1.1.2/32> fwd [priority 283616, refcount 2]
> >     > Jan  5 15:50:21 06[IKE] <l2l|2> CHILD_SA l2l{2} established with
> SPIs c1aab5fc_i 3f174706_o and TS 10.10.10.1/32 <http://10.10.10.1/32> <
> http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> <
> http://1.1.1.2/32>
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI
> c1aab5fc
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI
> 3f174706
> >     > Jan  5 15:50:21 06[KNL] <l2l|2> 10.10.10.1 is on interface eth2
> >     > Jan  5 15:50:21 06[ENC] <l2l|2> generating IKE_AUTH response 1 [
> IDr AUTH SA TSi TSr ]
> >     > Jan  5 15:50:21 06[NET] <l2l|2> sending packet: from
> 10.10.10.1[500] to 10.10.10.20[500] (204 bytes)
> >     > Jan  5 15:50:21 06[MGR] <l2l|2> checkin IKE_SA l2l[2]
> >     > Jan  5 15:50:21 06[MGR] <l2l|2> checkin of IKE_SA successful
> >     > Jan  5 15:50:31 05[MGR] checkout IKEv2 SA with SPIs
> 2c79130e38a24598_i c530ad0d0f1a47f0_r
> >     > Jan  5 15:50:31 05[MGR] IKE_SA l2l[1] successfully checked out
> >     > Jan  5 15:50:31 05[IKE] <l2l|1> queueing IKE_DELETE task
> >     > Jan  5 15:50:31 05[IKE] <l2l|1> activating new tasks
> >     > Jan  5 15:50:31 05[IKE] <l2l|1>   activating IKE_DELETE task
> >     > Jan  5 15:50:31 05[IKE] <l2l|1> deleting IKE_SA l2l[1] between
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> >     > Jan  5 15:50:31 05[IKE] <l2l|1> IKE_SA l2l[1] state change:
> ESTABLISHED => DELETING
> >     > Jan  5 15:50:31 05[IKE] <l2l|1> sending DELETE for IKE_SA l2l[1]
> >     > Jan  5 15:50:31 05[ENC] <l2l|1> generating INFORMATIONAL request 0
> [ D ]
> >     > Jan  5 15:50:31 05[NET] <l2l|1> sending packet: from
> 10.10.10.1[500] to 10.10.10.20[500] (76 bytes)
> >     > Jan  5 15:50:31 05[MGR] <l2l|1> checkin IKE_SA l2l[1]
> >     > Jan  5 15:50:31 05[MGR] <l2l|1> checkin of IKE_SA successful
> >     > Jan  5 15:50:31 13[MGR] checkout IKEv2 SA by message with SPIs
> 2c79130e38a24598_i c530ad0d0f1a47f0_r
> >     > Jan  5 15:50:31 13[MGR] IKE_SA l2l[1] successfully checked out
> >     >
> >     > ===ipsec.conf===
> >     > conn %default
> >     >         keyexchange=ikev2
> >     >         mobike = no
> >     >         reauth=no
> >     >
> >     > conn l2l
> >     > ikelifetime=500s
> >     > margintime=10s
> >     > rekeyfuzz=0%
> >     > ike=aes128-sha1-modp2048!
> >     > esp=aes128-sha1
> >     > authby=psk
> >     >         leftfirewall=yes
> >     > rightsubnet=1.0.0.0/8 <http://1.0.0.0/8> <http://1.0.0.0/8>
> >     >         auto=add
> >     >
> >     >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180117/2de74f4a/attachment-0001.html>


More information about the Users mailing list