[strongSwan] why multiple SAs for one peer?

Victor Sudakov vas at sibptus.ru
Fri Nov 13 08:09:08 CET 2020 

Hi Volodymyr,

Nope, the "officeru4" peer's  selectors are both "x.x.x.x/32[gre] === z.z.z.z/32[gre]"

In fact, the peers look like this in the config:

conn officeru3
    authby=secret
    dpddelay=10s
    dpdaction=restart
    esp=aes128-sha1-modp2048!
    ike=aes128-sha1-modp2048!
    ikelifetime=3h
    lifetime=1h
    keyexchange=ikev2
    type=transport
    left=x.x.x.x
    right=y.y.y.y
    leftprotoport=47
    rightprotoport=47

conn officeru4
    also = officeru3
    right=z.z.z.z



Volodymyr Litovka wrote:
> Hi Victor,
> 
> it seems there are different traffic selectors on SAs: one is x.x.x.x
> <-> y.y.y.y, while another is x.x.x.x <-> z.z.z.z
> 
> 
> On 13.11.2020 05:13, Victor Sudakov wrote:
> > Dear Colleagues,
> > 
> > What's the reason for strongSwan to create (sometimes) multiple SAs for
> > a single peer? Please see the example below where the "officeru3" peer
> > looks fine to me while the "officeru4" peer has an extraneous SA.
> > 
> > root at tunn:~# ipsec status | grep officeru3
> >     officeru3{2}:  ROUTED, TRANSPORT, reqid 2
> >     officeru3{2}:   x.x.x.x/32[gre] === y.y.y.y/32[gre]
> >     officeru3[27]: ESTABLISHED 108 minutes ago, x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
> >     officeru3{83}:  INSTALLED, TRANSPORT, reqid 2, ESP in UDP SPIs: c1f542b3_i 0e4df460_o
> >     officeru3{83}:   x.x.x.x/32[gre] === y.y.y.y/32[gre]
> > root at tunn:~#
> > root at tunn:~# ipsec status | grep officeru4
> >     officeru4{3}:  ROUTED, TRANSPORT, reqid 3
> >     officeru4{3}:   x.x.x.x/32[gre] === z.z.z.z/32[gre]
> >     officeru4[30]: ESTABLISHED 60 minutes ago, x.x.x.x[x.x.x.x]...z.z.z.z[z.z.z.z]
> >     officeru4{82}:  INSTALLED, TRANSPORT, reqid 3, ESP in UDP SPIs: c50d4bb3_i 0f33c281_o
> >     officeru4{82}:   x.x.x.x/32[gre] === z.z.z.z/32[gre]
> >     officeru4[28]: ESTABLISHED 106 minutes ago, x.x.x.x[x.x.x.x]...z.z.z.z[z.z.z.z]
> >     officeru4{84}:  INSTALLED, TRANSPORT, reqid 3, ESP in UDP SPIs: c02ebd2f_i 0a5e786d_o
> >     officeru4{84}:   x.x.x.x/32[gre] === z.z.z.z/32[gre]
> > root at tunn:~#
> > 
> --
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison
> 

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

More information about the Users mailing list