[strongSwan] Multiple SAs on Link up. Race condition.
Thomas Egerer
hakke_007 at gmx.de
Thu Jul 16 13:26:24 CEST 2020
Hi Makarand,
the option 'uniqueids=yes' is the preferred way to ensure
uniqueness. However, as you've seen there are rare cases
in which the detection fails. After all it should not
effect your IPsec performance and your tunnels should work.
If you do not want this behavior disable autoinit on one
side:
auto=add
This causes the tunnel to be brought up on traffic.
Thomas
On 7/15/20 10:38 PM, Makarand Pradhan wrote:
> Hello All,
>
> I'm running strongswan 5.8.2.
>
> I'm noticing multiple SAs and Child SAs set up, when both sides try to initiate a connection on link up. Is there a way to avoid multiple SAs being setup on link up?
>
> My configuration is as follows:
>
> Ipsec.conf:
> config setup
> charondebug=@all@
> cachecrls=yes
> uniqueids=yes
> strictcrlpolicy=no
>
> #####IS5#####
> conn m2
> type=tunnel
> authby=secret
> auto=start
> keyexchange=ikev2
> ike=aes256-sha512-modp1536!
> aggressive=no
> ikelifetime=1h
> esp=aes256-sha256-modp2048!
> lifetime=2h
> right=172.16.32.2
> rightid=172.16.32.2
> rightsubnet=10.10.10.0/24,192.168.62.0/24
> left=172.16.32.1
> leftid=172.16.32.1
> leftsubnet=192.168.10.0/24,192.168.52.0/24
> mobike=no
>
> root at t1024rdb:~# ipsec status
> Security Associations (3 up, 0 connecting):
> m2[7]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2]
> m2{8}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c7cbf891_i c6e85d39_o
> m2{8}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24
> m2[6]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2]
> m2{7}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c5538838_i c69ab573_o
> m2{7}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24
>
> root at t1024rdb:~# swanctl -l
> m2: #7, ESTABLISHED, IKEv2, a5fc0a9cb8a9bfea_i a931c7d404349242_r*
> local '172.16.32.1' @ 172.16.32.1[500]
> remote '172.16.32.2' @ 172.16.32.2[500]
> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
> established 362s ago, reauth in 2527s
> m2: #8, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
> installed 362s ago, rekeying in 5759s, expires in 6838s
> in c7cbf891, 0 bytes, 0 packets
> out c6e85d39, 0 bytes, 0 packets
> local 192.168.10.0/24 192.168.52.0/24
> remote 10.10.10.0/24 192.168.62.0/24
> m2: #6, ESTABLISHED, IKEv2, 2a17575859ea9c0f_i* 9409bec89f7dcff2_r
> local '172.16.32.1' @ 172.16.32.1[500]
> remote '172.16.32.2' @ 172.16.32.2[500]
> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
> established 362s ago, reauth in 2101s
> m2: #7, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
> installed 362s ago, rekeying in 5847s, expires in 6838s
> in c5538838, 0 bytes, 0 packets
> out c69ab573, 0 bytes, 0 packets
> local 192.168.10.0/24 192.168.52.0/24
> remote 10.10.10.0/24 192.168.62.0/24
>
> Thanks.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>
More information about the Users
mailing list