[strongSwan] Dublicated SA

korsar182 at gmail.com korsar182 at gmail.com
Thu Feb 27 16:48:33 CET 2020 

Hello,
I am using IPSec in transport mode to connect my networks.
My settings:
ipsec.conf
conn %default
         auto=add
         left=1.1.1.1
         ike=aes256gcm16-sha2_256-ecp521,aes256-sha1-sha2_256-modp1024-ecp521
         esp=aes256gcm16-ecp521,aes256ctr-sha2_256-ecp521
         rekey=no
         dpdaction=clear
         fragmentation=yes
         keyexchange=ikev2
         type=tunnel
         leftauth=pubkey
         rightauth=pubkey
         leftcert=server.crt
         leftsendcert=always
         authby=pubkey
         reauth=no
conn transport
   type=transport
   leftprotoport=udp/l2tp
   rightprotoport=udp/%any


How I can prevent install dublicated SA?


swanctl -l:
transport: #307, ESTABLISHED, IKEv2, 33d5b4f621c1d7e4_i 6b766489df4e6be8_r*
   local  'CN=' @ 1.1.1.1[4500]
   remote 'C=' @ 2.2.2.2[4500]
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
   established 1565s ago
   transport: #2833, reqid 292, REKEYED, TRANSPORT,  
ESP:AES_CTR-256/HMAC_SHA2_256_128
     installed 1565s ago
     in  c60e9eaf, 597320317 bytes, 438354 packets,     0s ago
     out 0c7fcef1, 24187646 bytes, 240074 packets,     7s ago
     local  1.1.1.1/32[udp/l2f]
     remote 2.2.2.2/32[udp/l2f]
   transport: #3035, reqid 292, INSTALLED, TRANSPORT,  
ESP:AES_CTR-256/HMAC_SHA2_256_128/ECP_521
     installed 108s ago
     in  c282733a,      0 bytes,     0 packets,     5s ago
     out 08735373,      0 bytes,     0 packets
     local  1.1.1.1/32[udp/l2f]
     remote 2.2.2.2/32[udp/l2f]
   transport: #3038, reqid 292, INSTALLED, TRANSPORT,  
ESP:AES_CTR-256/HMAC_SHA2_256_128/ECP_521
     installed 93s ago
     in  c5aaccad,      0 bytes,     0 packets,     5s ago
     out 0b9a47ee,      0 bytes,     0 packets
     local  1.1.1.1/32[udp/l2f]
     remote 2.2.2.2/32[udp/l2f]
   transport: #3043, reqid 292, INSTALLED, TRANSPORT,  
ESP:AES_CTR-256/HMAC_SHA2_256_128/ECP_521
     installed 72s ago
     in  cb17dcf3,      0 bytes,     0 packets,     5s ago
     out 04ccf002,      0 bytes,     0 packets
     local  1.1.1.1/32[udp/l2f]
     remote 2.2.2.2/32[udp/l2f]
   transport: #3049, reqid 292, INSTALLED, TRANSPORT,  
ESP:AES_CTR-256/HMAC_SHA2_256_128/ECP_521
     installed 44s ago
     in  c0ed0e45,      0 bytes,     0 packets,     5s ago
     out 01d6f597,      0 bytes,     0 packets
     local  1.1.1.1/32[udp/l2f]
     remote 2.2.2.2/32[udp/l2f]
   transport: #3052, reqid 292, INSTALLED, TRANSPORT,  
ESP:AES_CTR-256/HMAC_SHA2_256_128/ECP_521
     installed 27s ago
     in  c2a82d3b,      0 bytes,     0 packets,     5s ago
     out 0753eda2,      0 bytes,     0 packets
     local  1.1.1.1/32[udp/l2f]
     remote 2.2.2.2/32[udp/l2f]
   transport: #3058, reqid 292, INSTALLED, TRANSPORT,  
ESP:AES_CTR-256/HMAC_SHA2_256_128/ECP_521
     installed 8s ago
     in  cd035006,      0 bytes,     0 packets,     5s ago
     out 0e360563,      0 bytes,     0 packets
     local  1.1.1.1/32[udp/l2f]
     remote 2.2.2.2/32[udp/l2f]

More information about the Users mailing list