[strongSwan] Duplicate IKE_SA?

Michael Schwartzkopff ms at sys4.de
Sun May 31 09:44:44 CEST 2020


we have a central gateway and several remote gateways. The setup should
be very simple, all fixed IP Addresses, PSK authentication.

When I look to the status of the connections, I see that EVERY IKE_SA
exists duplicate. The expiry times are far from being close to the timeout.

Sample output of statusall:

   VPN_a:  IKEv2, dpddelay=10s
   VPN_a:   local:  [] uses pre-shared key authentication
   VPN_a:   remote: [] uses pre-shared key authentication
   VPN_a:   child:  dynamic === TUNNEL, dpdaction=hold

Security Associations (4 up, 0 connecting):
   VPN_a[502011]: ESTABLISHED 47 minutes ago,[]...[]
   VPN_a[502011]: IKEv2 SPIs: 93fea54e631018b3_i e19e477bde676b42_r*,
rekeying disabled
   VPN_a[502011]: IKE proposal:
   VPN_a{502324}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2a96e2c_i
   VPN_a{502324}:  AES_CBC_256/HMAC_SHA2_256_128, 3182 bytes_i (74 pkts,
15s ago), 7655 bytes_o (110 pkts, 0s ago), rekeying disabled
   VPN_a{502324}: ===
   VPN_a[502009]: ESTABLISHED 66 minutes ago,[]...[]
   VPN_a[502009]: IKEv2 SPIs: 40ab1a098c160549_i ded33f2f40286969_r*,
rekeying disabled
   VPN_a[502009]: IKE proposal:
   VPN_a{502323}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2b8ec27_i
   VPN_a{502323}:  AES_CBC_256/HMAC_SHA2_256_128, 2226 bytes_i (51 pkts,
15s ago), 4681 bytes_o (72 pkts, 0s ago), rekeying disabled
   VPN_a{502323}: ===

Any ideas, why the gateways set up two IKE SAs?

Mit freundlichen Grüßen,


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200531/a7d05bd3/attachment.sig>

More information about the Users mailing list