[strongSwan] multiple id for same ipsec peer

Marco Berizzi pupilla at hotmail.com
Tue May 8 11:20:17 CEST 2018

Hello everyone,

I'm running strongswan 5.6.3dr1 on Slackware linux.
On this strongswan box it is configured an ikev2 tunnel
to a customer checkpoint R77.30 gateway.

Sometimes, for an unknown reason, the checkpoint will
try to initiate the IKE_SA, but instead of using its
public ip address as the id, it is using another ip
address. Here is the relevant log:

12[NET] received packet: from customer_public[500] to my_public[500] (260 bytes) 
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
12[IKE] customer_public is initiating an IKE_SA 
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] 
12[NET] sending packet: from my_public[500] to customer_public[500] (280 bytes) 
04[NET] received packet: from customer_public[500] to my_public[500] (336 bytes) 
04[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N((47997)) SA TSi TSr N(INIT_CONTACT) V N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] 
04[CFG] looking for peer configs matching my_public[%any]...customer_public[] 
04[CFG] selected peer config 'customer-' 
04[IKE] authentication of '' with pre-shared key successful 
04[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
04[IKE] authentication of 'my_public' (myself) with pre-shared key 
04[IKE] IKE_SA customer-[10] established between my_public[my_public]...customer_public[] 

I have bypassed this checkpoint crazy behaviour
adding another conn section to the ipsec.conf file,
and configuring it only as responder (auto=add):

conn customer

conn customer-

conn customer-

Now I would like to move this configuration to the
new swanctl.conf file format.

I would like to ask if this swanctl.conf file is
equivalent to the above ipsec.conf:

connections {

   customer {
      local_addrs  = my_public
      remote_addrs = customer_public

      local {
         auth = psk
         id = my_public
      remote {
         auth = psk
         id = customer_public
         id =
      children {
         customer-networks {
            local_ts  =
            remote_ts =
            start_action = trap
	    esp_proposals = aes256-sha384-ecp521
      proposals = aes256-sha384-ecp521
      send_cert = never
      send_certreq = no

secrets {
   ike-customer {
      id = customer_public
      id =
      secret = "blablabla"


More information about the Users mailing list