[strongSwan] Multiple SAs on Link up. Race condition.

Makarand Pradhan MakarandPradhan at is5com.com
Thu Jul 16 14:49:12 CEST 2020 

Good morning Thomas.

Thanks for your response.

As you mentioned the traffic is not affected so we would not worry about one more connection for now.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Thomas Egerer <hakke_007 at gmx.de> 
Sent: July 16, 2020 7:26 AM
To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Multiple SAs on Link up. Race condition.

Hi Makarand,

the option 'uniqueids=yes' is the preferred way to ensure uniqueness. However, as you've seen there are rare cases in which the detection fails. After all it should not effect your IPsec performance and your tunnels should work.
If you do not want this behavior disable autoinit on one
side:
auto=add
This causes the tunnel to be brought up on traffic.

Thomas


On 7/15/20 10:38 PM, Makarand Pradhan wrote:
> Hello All,
>
> I'm running strongswan 5.8.2.
>
> I'm noticing multiple SAs and Child SAs set up, when both sides try to initiate a connection on link up. Is there a way to avoid multiple SAs  being setup on link up?
>
> My configuration is as follows:
>
> Ipsec.conf:
> config setup
>         charondebug=@all@
>         cachecrls=yes
>         uniqueids=yes
>         strictcrlpolicy=no
>
> #####IS5#####
> conn m2
>         type=tunnel
>         authby=secret
>         auto=start
>         keyexchange=ikev2
>         ike=aes256-sha512-modp1536!
>         aggressive=no
>         ikelifetime=1h
>         esp=aes256-sha256-modp2048!
>         lifetime=2h
>         right=172.16.32.2
>         rightid=172.16.32.2
>         rightsubnet=10.10.10.0/24,192.168.62.0/24
>         left=172.16.32.1
>         leftid=172.16.32.1
>         leftsubnet=192.168.10.0/24,192.168.52.0/24
>         mobike=no
>
> root at t1024rdb:~# ipsec status
> Security Associations (3 up, 0 connecting):
>           m2[7]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2]
>           m2{8}:  INSTALLED, TUNNEL, reqid 6, ESP SPIs: c7cbf891_i c6e85d39_o
>           m2{8}:   192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24
>           m2[6]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2]
>           m2{7}:  INSTALLED, TUNNEL, reqid 6, ESP SPIs: c5538838_i c69ab573_o
>           m2{7}:   192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24
>
> root at t1024rdb:~# swanctl -l
> m2: #7, ESTABLISHED, IKEv2, a5fc0a9cb8a9bfea_i a931c7d404349242_r*
>   local  '172.16.32.1' @ 172.16.32.1[500]
>   remote '172.16.32.2' @ 172.16.32.2[500]
>   AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
>   established 362s ago, reauth in 2527s
>   m2: #8, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
>     installed 362s ago, rekeying in 5759s, expires in 6838s
>     in  c7cbf891,      0 bytes,     0 packets
>     out c6e85d39,      0 bytes,     0 packets
>     local  192.168.10.0/24 192.168.52.0/24
>     remote 10.10.10.0/24 192.168.62.0/24
> m2: #6, ESTABLISHED, IKEv2, 2a17575859ea9c0f_i* 9409bec89f7dcff2_r
>   local  '172.16.32.1' @ 172.16.32.1[500]
>   remote '172.16.32.2' @ 172.16.32.2[500]
>   AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
>   established 362s ago, reauth in 2101s
>   m2: #7, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
>     installed 362s ago, rekeying in 5847s, expires in 6838s
>     in  c5538838,      0 bytes,     0 packets
>     out c69ab573,      0 bytes,     0 packets
>     local  192.168.10.0/24 192.168.52.0/24
>     remote 10.10.10.0/24 192.168.62.0/24
>
> Thanks.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>  
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>

More information about the Users mailing list