[strongSwan] Duplicate IKE_SA?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jun 1 19:23:37 CEST 2020 

Hello Michael,

It might be that both sides use auto=route or auto=start and initiated in parallel and uniqueids=no is set, so duplicate SAs are not deleted.

That is pure speculation though. ;)

Kind regards

Noel

Am 31.05.20 um 09:44 schrieb Michael Schwartzkopff:
> Hi,
> 
> 
> we have a central gateway and several remote gateways. The setup should
> be very simple, all fixed IP Addresses, PSK authentication.
> 
> When I look to the status of the connections, I see that EVERY IKE_SA
> exists duplicate. The expiry times are far from being close to the timeout.
> 
> 
> Sample output of statusall:
> 
> Connections:
>    VPN_a:  192.0.2.128...192.0.2.1  IKEv2, dpddelay=10s
>    VPN_a:   local:  [192.0.2.1] uses pre-shared key authentication
>    VPN_a:   remote: [192.0.2.128] uses pre-shared key authentication
>    VPN_a:   child:  dynamic === 192.0.2.128/32 TUNNEL, dpdaction=hold
> 
> Security Associations (4 up, 0 connecting):
>    VPN_a[502011]: ESTABLISHED 47 minutes ago,
> 192.0.2.128[192.0.2.128]...192.0.2.1[192.0.2.1]
>    VPN_a[502011]: IKEv2 SPIs: 93fea54e631018b3_i e19e477bde676b42_r*,
> rekeying disabled
>    VPN_a[502011]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>    VPN_a{502324}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2a96e2c_i
> c36e31d1_o
>    VPN_a{502324}:  AES_CBC_256/HMAC_SHA2_256_128, 3182 bytes_i (74 pkts,
> 15s ago), 7655 bytes_o (110 pkts, 0s ago), rekeying disabled
>    VPN_a{502324}:   192.0.2.128/32 === 192.0.2.1/32
>    VPN_a[502009]: ESTABLISHED 66 minutes ago,
> 192.0.2.128[192.0.2.128]...192.0.2.1[192.0.2.1]
>    VPN_a[502009]: IKEv2 SPIs: 40ab1a098c160549_i ded33f2f40286969_r*,
> rekeying disabled
>    VPN_a[502009]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>    VPN_a{502323}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2b8ec27_i
> cbabcc83_o
>    VPN_a{502323}:  AES_CBC_256/HMAC_SHA2_256_128, 2226 bytes_i (51 pkts,
> 15s ago), 4681 bytes_o (72 pkts, 0s ago), rekeying disabled
>    VPN_a{502323}:   192.0.2.128/32 === 192.0.2.1/32
> 
> 
> Any ideas, why the gateways set up two IKE SAs?
> 
> 
> Mit freundlichen Grüßen,
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200601/1e308b98/attachment.sig>

More information about the Users mailing list