[strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Jan 25 07:42:37 CET 2022


Hi

would setting this "reqid" option for each of the tunnels (with different
left-righ-IDs set) in both initiator and responder peers help?

The below is the setting that is available (in swanctl.conf):
------------------------------------------------------------------------------------------------------------------------------------
connections.<conn>.children.<child>.reqid = <0(default-value)>
- Fixed reqid to use for this CHILD_SA. This might be helpful in some
scenarios, but works only if each CHILD_SA configuration is instantiated
not more than once.
- The default of 0 uses dynamic reqids, allocated incrementally.
-------------------------------------------------------------------------------------------------------------------------------

regards
Rajiv



On Tue, Jan 25, 2022 at 1:19 AM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hello Marcel,
>
> You already found the only good solution to the problem.
> The general problem is that there's no way to identify any specific
> CHILD_SA because there are no markers or authentication procedures, or ways
> to match them by establishment order.
>
> Kind regards
> Noel
>
> Am 24.01.22 um 10:48 schrieb Marcel Menzel:
> > Hello List,
> >
> > I am connecting multiple XFRM interfaces, each being in a different VRF,
> between two servers running strongSwan 5.9.4.
> >
> > As I am running dynamic routing protocols over those XFRM interfaces,
> all traffic selectors of the CHILD_SAs have been set to 0.0.0.0/0 & ::/0.
> >
> > Now, the responder is not being able to distinguish between the
> CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the CHILD_SAs
> of the initiator end up in the same (the first) CHILD_SA in the responder,
> meaning the different XFRM interfaces of the initiator are being terminated
> all in the same XFRM interface of the responder.
> >
> > My current workaround is to create one IKE_SA per CHILD_SA as I am able
> to set the local and remote ID in the IKE_SA and use these to distinguish
> the tunnels as the local and remote addresses are the same aswell.
> Unfortunately. the CHILD_SA parameter "reqid" is a local setting only and
> looking at the docs I can't see another way to set some "ID" of some sort
> to be able to distinguish between overlapping/identical traffic selectors.
> Am I missing something here or is this the only possible workaround?
> >
> >
> > Thanks
> >
> >   - Marcel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220125/03576095/attachment.html>


More information about the Users mailing list