[strongSwan] Multiple CHILD_SA's after reauth timer expires

Makarand Pradhan MakarandPradhan at is5com.com
Tue Aug 18 17:28:25 CEST 2020 

Good morning All,

We are noticing that every time after the reauth timer expires a new CHILD_SA gets created. 

Ipsec.conf: auto is set to route on both sides.

config setup
        charondebug=@all@
        cachecrls=yes
        uniqueids=yes
        strictcrlpolicy=no

#####IS5#####
conn m1
        type=tunnel
        authby=secret
        auto=route
        keyexchange=ikev2

sh-4.3# ipsec statusall m1
Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
  uptime: 26 minutes, since Aug 18 14:53:17 2020
  malloc: sbrk 2617344, mmap 0, used 1037312, free 1580032
  worker threads: 10 of 16 idle, 5/0/1/0 working, job queue: 0/0/0/0, scheduled: 2861
  loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
...
  172.16.100.50
Connections:
          m1:  172.16.100.1...172.17.100.101  IKEv2, dpddelay=60s
          m1:   local:  [172.16.100.1] uses pre-shared key authentication
          m1:   remote: [172.17.100.101] uses pre-shared key authentication
          m1:   child:  192.168.101.0/24 192.168.51.0/24 === 10.10.101.0/24 10.10.51.0/24 TUNNEL, dpdaction=clear
Routed Connections:
          m1{1021}:  ROUTED, TUNNEL, reqid 7
          m1{1021}:   192.168.51.0/24 192.168.101.0/24 === 10.10.51.0/24 10.10.101.0/24
Security Associations (2 up, 0 connecting):
          m1[3046]: ESTABLISHED 0 seconds ago, 172.16.100.1[172.16.100.1]...172.17.100.101[172.17.100.101]
          m1[3046]: IKEv2 SPIs: 88541fd5830f9b6a_i a695a57e6c7d70b3_r*, pre-shared key reauthentication in 6 minutes
          m1[3046]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
          m1{3678}:  INSTALLED, TUNNEL, reqid 7, ESP SPIs: ca44d297_i c5962749_o
          m1{3678}:  AES_CBC_256/HMAC_SHA2_256_128, 55120 bytes_i (40 pkts, 0s ago), 59254 bytes_o, rekeying in 6 minutes
          m1{3678}:   192.168.51.0/24 192.168.101.0/24 === 10.10.51.0/24 10.10.101.0/24
          m1{3679}:  INSTALLED, TUNNEL, reqid 7, ESP SPIs: c7ca3287_i c2bd2f7e_o
          m1{3679}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes
          m1{3679}:   192.168.51.0/24 192.168.101.0/24 === 10.10.51.0/24 10.10.101.0/24
          m1[2639]: ESTABLISHED 2 minutes ago, 172.16.100.1[172.16.100.1]...172.17.100.101[172.17.100.101]
          m1[2639]: IKEv2 SPIs: acfb6b3d37647cfc_i* 544d8b2e2fce4b97_r, pre-shared key reauthentication in 4 minutes
          m1[2639]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
          m1{2937}:  INSTALLED, TUNNEL, reqid 7, ESP SPIs: c3396939_i cd534d4a_o
          m1{2937}:  AES_CBC_256/HMAC_SHA2_256_128, 48230 bytes_i (35 pkts, 0s ago), 50986 bytes_o, rekeying in 56 seconds
          m1{2937}:   192.168.51.0/24 192.168.101.0/24 === 10.10.51.0/24 10.10.101.0/24
          m1{2938}:  INSTALLED, TUNNEL, reqid 7, ESP SPIs: ce25bc80_i c27e0121_o
          m1{2938}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 11024 bytes_i (8 pkts, 0s ago), 4134 bytes_o (3 pkts, 0s ago), rekeying in 5 minutes
          m1{2938}:   192.168.51.0/24 192.168.101.0/24 === 10.10.51.0/24 10.10.101.0/24
          m1{3413}:  INSTALLED, TUNNEL, reqid 7, ESP SPIs: ca8c62f6_i c044513d_o
          m1{3413}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 2899312 bytes_i (2104 pkts, 0s ago), 4142268 bytes_o (3006 pkts, 0s ago), rekeying in 95 seconds
          m1{3413}:   192.168.51.0/24 192.168.101.0/24 === 10.10.51.0/24 10.10.101.0/24
sh-4.3#

This issue is not seen when there is no traffic. When there is no traffic, I continue to see only one instance of ESTABLISHED and only one instance of INSTALLED(CHILD_SA).

Any opinions on how to avoid the multiple CHILD_SAs after reauth?

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

More information about the Users mailing list