[strongSwan] Multiple SAs on Link up. Race condition.

[Makarand Pradhan]

Hello All,

I'm running strongswan 5.8.2.

I'm noticing multiple SAs and Child SAs set up, when both sides try to initiate a connection on link up. Is there a way to avoid multiple SAs  being setup on link up?

My configuration is as follows:

Ipsec.conf:
config setup
        charondebug=@all@
        cachecrls=yes
        uniqueids=yes
        strictcrlpolicy=no

#####IS5#####
conn m2
        type=tunnel
        authby=secret
        auto=start
        keyexchange=ikev2
        ike=aes256-sha512-modp1536!
        aggressive=no
        ikelifetime=1h
        esp=aes256-sha256-modp2048!
        lifetime=2h
        right=172.16.32.2
        rightid=172.16.32.2
        rightsubnet=10.10.10.0/24,192.168.62.0/24
        left=172.16.32.1
        leftid=172.16.32.1                       
        leftsubnet=192.168.10.0/24,192.168.52.0/24
        mobike=no     

root at t1024rdb:~# ipsec status
Security Associations (3 up, 0 connecting):
          m2[7]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2]
          m2{8}:  INSTALLED, TUNNEL, reqid 6, ESP SPIs: c7cbf891_i c6e85d39_o
          m2{8}:   192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24
          m2[6]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2]
          m2{7}:  INSTALLED, TUNNEL, reqid 6, ESP SPIs: c5538838_i c69ab573_o
          m2{7}:   192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24

root at t1024rdb:~# swanctl -l
m2: #7, ESTABLISHED, IKEv2, a5fc0a9cb8a9bfea_i a931c7d404349242_r*
  local  '172.16.32.1' @ 172.16.32.1[500]
  remote '172.16.32.2' @ 172.16.32.2[500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
  established 362s ago, reauth in 2527s
  m2: #8, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 362s ago, rekeying in 5759s, expires in 6838s
    in  c7cbf891,      0 bytes,     0 packets
    out c6e85d39,      0 bytes,     0 packets
    local  192.168.10.0/24 192.168.52.0/24
    remote 10.10.10.0/24 192.168.62.0/24
m2: #6, ESTABLISHED, IKEv2, 2a17575859ea9c0f_i* 9409bec89f7dcff2_r
  local  '172.16.32.1' @ 172.16.32.1[500]
  remote '172.16.32.2' @ 172.16.32.2[500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
  established 362s ago, reauth in 2101s
  m2: #7, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 362s ago, rekeying in 5847s, expires in 6838s
    in  c5538838,      0 bytes,     0 packets
    out c69ab573,      0 bytes,     0 packets
    local  192.168.10.0/24 192.168.52.0/24
    remote 10.10.10.0/24 192.168.62.0/24
                            
Thanks.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.