[strongSwan] Duplicate SAs, Strongswan as an IPSec initiator(road warrior)

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Mar 6 02:01:13 CET 2022 

Hello John,

It only makes sense to look at it with debug level logs, as shown on the HelpRequests[1] page.
Speculation will not help much.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 05.03.22 um 05:05 schrieb John Serink:
> Hello:
> 
> I have a bunch of teltonica routers RUT-950 model, that are running strongswan v 5.6.2.
> The RUT-950 are simultaneously connecting to two separate Cisco 4431 IOS based routers using
> ikev2 with asymmetric keys. I am running GRE tunnels inside the IPSec tunnels.
> 
> In general the system works fine, but from time to time I get this:
> root at CORS235:~# ipsec status
> Security Associations (3 up, 0 connecting):
>       SOICCMP[16]: ESTABLISHED 21 minutes ago, 192.168.29.161[CORS235]...A.B.C.D[CC2router]
>       SOICCMP{18}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cd269609_i 45768b65_o
>       SOICCMP{18}:   3.3.2.235/32 === 1.1.1.12/32
>         SOICC[15]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter]
>         SOICC{17}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e00659_i 76c9b21a_o
>         SOICC{17}:   2.2.2.235/32 === 1.1.1.10/32
>         SOICC[14]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter]
>         SOICC{16}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce8a8edb_i caf6788d_o
>         SOICC{16}:   2.2.2.235/32 === 1.1.1.10/32
> 
> In this case the connection to SOICCMP works fine but the tunnel with two SAs SOICC has no
> connectivity.
> 
> I have tried this option:
> reauth=no.
> 
> That didn't work.
> 
> My thinking was that the rekeying was happening simultaneously from the Strongswan end and the
> Cisco end so I removed the above option and tried this:
> conn %default
>          margintime=9m
>          rekeyfuzz=100%
> 
> But that didn't fix it either.
> 
> An "ipsec restart" fixes it and everything comes up right.
> 
> Is there a way to work around this so that I don't have to connect to the router and issue and
> ipsec restart?
> 
> Here is the strongswan config with the IP addresses removed:
> conn SOICCMP
>          leftid=keyid:CORS235
>          leftauth=psk
>          rightauth=psk
>          leftsubnet=3.3.2.235/32
>          right=B.C.D.E
>          rightid=keyid:CC2router
>          keyexchange=ikev2
>          authby=secret
>          leftfirewall=yes
>          rightfirewall=no
>          auto=start
>          type=tunnel
>          aggressive=no
>          dpdaction=restart
>          dpddelay=30
>          dpdtimeout=30
>          forceencaps=no
>          keyingtries=%forever
>          ike=aes256-sha256-modp2048
>          ikelifetime=5h
>          esp=aes256-sha256-modp2048
>          keylife=4h
>          rightsubnet=1.1.1.12/32
> 
> Cheers,
> john
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220306/4f30e9f5/attachment.sig>

More information about the Users mailing list