[strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

Marcel Menzel mail at mcl.gg
Tue Jan 25 10:02:11 CET 2022 

Hi Rajiv,

I already tried this, this would not help. "reqid" is local only and 
this information is never being transmitted to the other side as part of 
the CHILD_SA establishment, so setting these per hand on both sides will 
still end up all tunnels being terminated into the first matching 
CHILD_SA on the responder.

Regards

- Marcel

Am 25.01.2022 um 07:42 schrieb Rajiv Kulkarni:
> Hi
>
> would setting this "reqid" option for each of the tunnels (with 
> different left-righ-IDs set) in both initiator and responder peers help?
>
> The below is the setting that is available (in swanctl.conf):
> ------------------------------------------------------------------------------------------------------------------------------------
> connections.<conn>.children.<child>.reqid = <0(default-value)>
> - Fixed reqid to use for this CHILD_SA. This might be helpful in some 
> scenarios, but works only if each CHILD_SA configuration is 
> instantiated not more than once.
> - The default of 0 uses dynamic reqids, allocated incrementally.
> -------------------------------------------------------------------------------------------------------------------------------
>
> regards
> Rajiv
>
>
>
> On Tue, Jan 25, 2022 at 1:19 AM Noel Kuntze 
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>     Hello Marcel,
>
>     You already found the only good solution to the problem.
>     The general problem is that there's no way to identify any
>     specific CHILD_SA because there are no markers or authentication
>     procedures, or ways to match them by establishment order.
>
>     Kind regards
>     Noel
>
>     Am 24.01.22 um 10:48 schrieb Marcel Menzel:
>     > Hello List,
>     >
>     > I am connecting multiple XFRM interfaces, each being in a
>     different VRF, between two servers running strongSwan 5.9.4.
>     >
>     > As I am running dynamic routing protocols over those XFRM
>     interfaces, all traffic selectors of the CHILD_SAs have been set
>     to 0.0.0.0/0 <http://0.0.0.0/0> & ::/0.
>     >
>     > Now, the responder is not being able to distinguish between the
>     CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the
>     CHILD_SAs of the initiator end up in the same (the first) CHILD_SA
>     in the responder, meaning the different XFRM interfaces of the
>     initiator are being terminated all in the same XFRM interface of
>     the responder.
>     >
>     > My current workaround is to create one IKE_SA per CHILD_SA as I
>     am able to set the local and remote ID in the IKE_SA and use these
>     to distinguish the tunnels as the local and remote addresses are
>     the same aswell. Unfortunately. the CHILD_SA parameter "reqid" is
>     a local setting only and looking at the docs I can't see another
>     way to set some "ID" of some sort to be able to distinguish
>     between overlapping/identical traffic selectors. Am I missing
>     something here or is this the only possible workaround?
>     >
>     >
>     > Thanks
>     >
>     >   - Marcel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220125/ac51074b/attachment.html>

More information about the Users mailing list