[strongSwan] Duplicate SAs, Strongswan as an IPSec initiator(road warrior)

John Serink john_serink at trimble.com
Sat Mar 5 05:05:03 CET 2022 

Hello:

I have a bunch of teltonica routers RUT-950 model, that are running strongswan v 5.6.2.
The RUT-950 are simultaneously connecting to two separate Cisco 4431 IOS based routers using
ikev2 with asymmetric keys. I am running GRE tunnels inside the IPSec tunnels.

In general the system works fine, but from time to time I get this:
root at CORS235:~# ipsec status
Security Associations (3 up, 0 connecting):
     SOICCMP[16]: ESTABLISHED 21 minutes ago, 192.168.29.161[CORS235]...A.B.C.D[CC2router]
     SOICCMP{18}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cd269609_i 45768b65_o
     SOICCMP{18}:   3.3.2.235/32 === 1.1.1.12/32
       SOICC[15]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter]
       SOICC{17}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e00659_i 76c9b21a_o
       SOICC{17}:   2.2.2.235/32 === 1.1.1.10/32
       SOICC[14]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter]
       SOICC{16}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce8a8edb_i caf6788d_o
       SOICC{16}:   2.2.2.235/32 === 1.1.1.10/32

In this case the connection to SOICCMP works fine but the tunnel with two SAs SOICC has no
connectivity.

I have tried this option:
reauth=no.

That didn't work.

My thinking was that the rekeying was happening simultaneously from the Strongswan end and the
Cisco end so I removed the above option and tried this:
conn %default
        margintime=9m
        rekeyfuzz=100%

But that didn't fix it either.

An "ipsec restart" fixes it and everything comes up right.

Is there a way to work around this so that I don't have to connect to the router and issue and
ipsec restart?

Here is the strongswan config with the IP addresses removed:
conn SOICCMP
        leftid=keyid:CORS235
        leftauth=psk
        rightauth=psk
        leftsubnet=3.3.2.235/32
        right=B.C.D.E
        rightid=keyid:CC2router
        keyexchange=ikev2
        authby=secret
        leftfirewall=yes
        rightfirewall=no
        auto=start
        type=tunnel
        aggressive=no
        dpdaction=restart
        dpddelay=30
        dpdtimeout=30
        forceencaps=no
        keyingtries=%forever
        ike=aes256-sha256-modp2048
        ikelifetime=5h
        esp=aes256-sha256-modp2048
        keylife=4h
        rightsubnet=1.1.1.12/32

Cheers,
john


-- 
John Edward Serink
Product Applications Engineer,
Advanced Positioning
Trimble Navigation Singapore PTE Ltd.
3 Harbourfront Place, 
#13-02 Harbourfrout Tower Two,
Co. Reg. No. 199204958W
Singapore 099254
Tel 65-6871-5878
Fax 65-6871-5879
DID 65-6871-5873
HP  65-9129-4250
Skype: johnserink

More information about the Users mailing list