[strongSwan] why multiple INSTALLED TUNNEL ???
Jens Krehbiel-Gräther
jens.krehbiel-graether at jkg-it-services.de
Mon Apr 1 18:00:01 CEST 2019
Hi,
can anyone tell me the reason why my client initiates multiple tunnels
over the time (it's an always on site-to-site VPN). The longer the ipsec
daemon is runing the more tunnels are "opened". I think I have an error
in dpdaction or in closeaction, but I tried several configrations but
nothing changes...
Client /etc/ipsec.conf:
config setup
charondebug="ike 0, esp 0, cfg 0, chd 0, mgr 0, net 0, knl 0"
uniqueids=yes
conn server
authby=secret
left=%defaultroute
leftid=michael.client
leftsubnet=10.20.3.0/24
right=<DNS-Name_of_public_IP_of_the_server>
rightid=michael.server
rightsubnet=10.20.50.0/24,10.20.20.0/24,10.20.21.0/24
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
closeaction=restart
auto=route
Client /etc/ipsec.secret:
michael.client michael.server : PSK "<long_PSK>"
Server /etc/ipsec.conf:
config setup
uniqueids=yes
charondebug="ike 0, esp 0, cfg 0, chd 0, mgr 0, net 0, knl 0"
conn client
authby=secret
left=%defaultroute
leftid=michael.server
leftsubnet=10.20.50.0/24,10.20.20.0/24,10.20.21.0/24
right=%any
rightid=michael.client
rightsubnet=10.20.3.0/24
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=add
Server /etc/ipsec.secret:
michael.server michael.client : PSK "<long_PSK>"
It results in this (output of ipsec statusall):
client[5674]: ESTABLISHED 24 minutes ago,
<public_IP_of_Sever>[michael.server]...<public_IP_of_client>[michael.client]
client[5674]: IKEv2 SPIs: 8950919e6207c9d9_i d2e3c1da7991f1c6_r*,
pre-shared key reauthentication in 20 minutes
client[5674]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
client{7455}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: cfad6344_i
ca727d46_o
client{7455}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7455}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7456}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: cb519378_i
c89244b9_o
client{7456}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7456}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7457}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: c30d0ccc_i
cdcf32ec_o
client{7457}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7457}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7458}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: c1debb15_i
c48082fa_o
client{7458}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7458}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7459}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: c1a99a37_i
c8322764_o
client{7459}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7459}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7460}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: c3650305_i
c7f2a153_o
client{7460}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7460}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7461}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: cb5b9c7f_i
c11d540c_o
client{7461}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7461}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7462}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: cccd97f6_i
c204b59e_o
client{7462}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7462}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7463}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: cda71516_i
c15e8fbb_o
client{7463}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7463}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7464}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: c807efda_i
c7434b3d_o
client{7464}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
client{7464}: 10.20.20.0/24 10.20.21.0/24 10.20.50.0/24 === 10.20.3.0/24
client{7465}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: c81105c5_i
cd834cc2_o
client{7465}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
After Restart of the deamon I have one time:
client{7465}: INSTALLED, TUNNEL, reqid 137, ESP in UDP SPIs: c81105c5_i
cd834cc2_o
client{7465}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 27s
ago), 0 bytes_o, rekeying in 7 hours
But after hours/days I have "hundreds" of these tunnels and they are
getting more and more until I restart the deamon (on the client).
Why does this happen?
What would be the correct dpdaction or closeaction (if this is the problem).
Client Site is on an DSL-Connection, which restarts every night, it
doesn't matter, if the IP address changes or not. Server has a fix IP
address and is alway online.
I have 8 "Client-Sites" to the same server and every Connection behaves
like this (of course because I use the same config with different
right/left ids and PSKs with different subnets for every connection).
If you have suggestions for a better config for an always on VPN, please
let me know.
Thanks for your help.
Jens
--
JKG IT-Services UG (haftungsbeschränkt)
Moltkestr. 31
76344 Eggenstein-Leopoldshafen
Telefon: 07247 / 9881995-1
Telefax: 07247 / 9881995-9
Mobil: 0176 / 47207343
E-Mail: jens.krehbiel-graether at jkg-it-services.de
Internet: http://www.jkg-it-services.de/
Sitz der Gesellschaft: Eggenstein-Leopoldshafen
Registergericht: AG Mannheim
Handelsregisternummer: HRB 705813
Ust-Id-Nr.: DE265602472
Geschäftsführer: Jens Krehbiel-Gräther
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190401/ca6e3be7/attachment.html>
More information about the Users
mailing list