[strongSwan] Duplicate SAs

John Serink john_serink at trimble.com
Tue Mar 22 13:59:34 CET 2022


Hello:

I am using the following on a Teltonika RUT-950:
root at CORS262:~# ipsec --version
Linux strongSwan U5.6.2/K3.18.44
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

I am using strongswan road warriors connecting to two different Cisco IOS routers. 

Here is my problem:
root at CORS262:~# ipsec status
Security Associations (3 up, 0 connecting):
SOICC[25]: ESTABLISHED 82 minutes ago, 100.95.41.178[CORS262]...103.205.244.106[CCrouter]
SOICC{28}: INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: cea042a6_i d6fa31b8_o
SOICC{28}: 2.2.3.6/32 === 1.1.1.10/32
SOICC[24]: ESTABLISHED 82 minutes ago, 100.95.41.178[CORS262]...103.205.244.106[CCrouter]
SOICC{27}: INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: c7bdad52_i a0838d85_o
SOICC{27}: 2.2.3.6/32 === 1.1.1.10/32
SOICCMP[22]: ESTABLISHED 3 hours ago, 100.95.41.178[CORS262]...164.100.196.79[CC2router]
SOICCMP{29}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c1493199_i 021b5af1_o
SOICCMP{29}: 3.3.3.6/32 === 1.1.1.12/32

As you can see, the tunnel SOICC is duplicated. When this happens the traffic through the GRE
tunnels inside the IPSec tunnels stop.
DPD is not pulling the tunnel down for some reason.

Here is the config:
root at CORS262:~# cat /etc/ipsec.conf
# generated by /etc/init.d/ipsec
conn %default
margintime=9m
rekeyfuzz=100%

conn SOICC
leftid=keyid:CORS262
leftauth=psk
rightauth=psk
leftsubnet=2.2.3.6/32
right=103.205.244.106
rightid=keyid:CCrouter
keyexchange=ikev2
authby=secret
leftfirewall=yes
rightfirewall=no
auto=start
type=tunnel
aggressive=no
dpdaction=restart
dpddelay=30
dpdtimeout=30
forceencaps=no
keyingtries=%forever
ike=aes256-sha256-modp2048
ikelifetime=5h
esp=aes256-sha256-modp2048
keylife=4h
rightsubnet=1.1.1.10/32

conn SOICCMP
leftid=keyid:CORS262
leftauth=psk
rightauth=psk
leftsubnet=3.3.3.6/32
right=164.100.196.79
rightid=keyid:CC2router
keyexchange=ikev2
authby=secret
leftfirewall=yes
rightfirewall=no
auto=start
type=tunnel
aggressive=no
dpdaction=restart
dpddelay=30
dpdtimeout=30
forceencaps=no
keyingtries=%forever
ike=aes256-sha256-modp2048
ikelifetime=5h
esp=aes256-sha256-modp2048
keylife=4h
rightsubnet=1.1.1.12/32

I seldom see duplicate tunnels from the SOICCMP profile, only the SOICC.
I turn off strongswan and setup and erect the GRE tunnels before restarting strongswan when
teh RUT-950 boots via
the /etc/rc.local file:
root at CORS262:~# cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/etc/init.d/ipsec stop
echo 1 > /proc/sys/net/ipv4/conf/default/accept_local
echo 1 > /proc/sys/net/ipv4/conf/all/accept_local
ip addr del dev SOI 192.168.194.21/30
ip link set dev SOI down
ip tun del SOI
ip addr del dev tap0 2.2.3.6/32
ip tuntap del tap0 mode tap
sleep 1
ip addr del dev SOIMP 172.16.164.21/30
ip link set dev SOIMP down
ip tun del SOIMP
ip addr del dev tap1 3.3.3.6/32
ip tuntap del tap1 mode tap
sleep 1
ip tuntap add name tap0 mode tap
ip addr flush dev tap0
ip addr add 2.2.3.6/32 brd + dev tap0
ip link set dev tap0 up
sleep 1
ip tuntap add name tap1 mode tap
ip addr flush dev tap1
ip addr add 3.3.3.6/32 brd + dev tap1
ip link set dev tap1 up
sleep 1
ip tunnel add SOI mode gre remote 1.1.1.10 local 2.2.3.6 ttl 255
ip link set SOI mtu 1400
ip link set SOI up
ip addr add 192.168.194.21/30 peer 192.168.194.22/30 brd + dev SOI
sleep 1
ip tunnel add SOIMP mode gre remote 1.1.1.12 local 3.3.3.6 ttl 255
ip link set SOIMP mtu 1400
ip link set SOIMP up
ip addr add 172.16.164.21/30 peer 172.16.164.22/30 brd + dev SOIMP
sleep 1
ip route add 192.168.0.0/16 dev SOI
ip route add 172.16.0.0/16 dev SOIMP
#sh /root/isalive0.12.sh 192.168.48.1 172.16.48.1 &
sh /root/isalive0.16.sh 192.168.48.1 172.16.48.1 &
/usr/bin/logger -t rc.local "End of the RC.LOCAL file"
sh /root/startipsec.sh &
exit 0

The /root/isalive0.16.sh script is a file that will reboot the router if pings to both
internal IPs fail for 5 minutes.

I have GRE keepalives enabled on the Cisco side.

Does anyone have any tips on how I can:
1. Perhaps get DPD to tear down and restart he tunnel,
2. Prevent strongswan from creating a duplicate tunnel.

Cheers,
John

-- 
John Edward Serink
Product Applications Engineer,
Advanced Positioning
Trimble Navigation Singapore PTE Ltd.
3 Harbourfront Place, 
#13-02 Harbourfrout Tower Two,
Co. Reg. No. 199204958W
Singapore 099254
Tel 65-6871-5878
Fax 65-6871-5879
DID 65-6871-5873
HP  65-9129-4250
Skype: johnserink
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220322/16fa0472/attachment.html>


More information about the Users mailing list