[strongSwan] Duplicate SAs, Strongswan as an IPSec initiator(road warrior)

John Serink john_serink at trimble.com
Wed Mar 23 06:16:41 CET 2022 

Hi Noel:

Sorry for the late response, I made the pediatric mistake of not checking my spam
folder....sigh.

I'm checking a few things and will come back to you.

Cheers,
John

On Sun, 2022-03-06 at 02:01 +0100, Noel Kuntze wrote:
> Hello John,
> 
> It only makes sense to look at it with debug level logs, as shown on the HelpRequests[1]
> page.
> Speculation will not help much.
> 
> Kind regards
> Noel
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
> 
> Am 05.03.22 um 05:05 schrieb John Serink:
> > Hello:
> > 
> > I have a bunch of teltonica routers RUT-950 model, that are running strongswan v 5.6.2.
> > The RUT-950 are simultaneously connecting to two separate Cisco 4431 IOS based routers
> > using
> > ikev2 with asymmetric keys. I am running GRE tunnels inside the IPSec tunnels.
> > 
> > In general the system works fine, but from time to time I get this:
> > root at CORS235:~# ipsec status
> > Security Associations (3 up, 0 connecting):
> >       SOICCMP[16]: ESTABLISHED 21 minutes ago,
> > 192.168.29.161[CORS235]...A.B.C.D[CC2router]
> >       SOICCMP{18}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cd269609_i 45768b65_o
> >       SOICCMP{18}:   3.3.2.235/32 === 1.1.1.12/32
> >         SOICC[15]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter]
> >         SOICC{17}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e00659_i 76c9b21a_o
> >         SOICC{17}:   2.2.2.235/32 === 1.1.1.10/32
> >         SOICC[14]: ESTABLISHED 37 minutes ago, 192.168.29.161[CORS235]...C.D.E.F[CCrouter]
> >         SOICC{16}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce8a8edb_i caf6788d_o
> >         SOICC{16}:   2.2.2.235/32 === 1.1.1.10/32
> > 
> > In this case the connection to SOICCMP works fine but the tunnel with two SAs SOICC has no
> > connectivity.
> > 
> > I have tried this option:
> > reauth=no.
> > 
> > That didn't work.
> > 
> > My thinking was that the rekeying was happening simultaneously from the Strongswan end and
> > the
> > Cisco end so I removed the above option and tried this:
> > conn %default
> >          margintime=9m
> >          rekeyfuzz=100%
> > 
> > But that didn't fix it either.
> > 
> > An "ipsec restart" fixes it and everything comes up right.
> > 
> > Is there a way to work around this so that I don't have to connect to the router and issue
> > and
> > ipsec restart?
> > 
> > Here is the strongswan config with the IP addresses removed:
> > conn SOICCMP
> >          leftid=keyid:CORS235
> >          leftauth=psk
> >          rightauth=psk
> >          leftsubnet=3.3.2.235/32
> >          right=B.C.D.E
> >          rightid=keyid:CC2router
> >          keyexchange=ikev2
> >          authby=secret
> >          leftfirewall=yes
> >          rightfirewall=no
> >          auto=start
> >          type=tunnel
> >          aggressive=no
> >          dpdaction=restart
> >          dpddelay=30
> >          dpdtimeout=30
> >          forceencaps=no
> >          keyingtries=%forever
> >          ike=aes256-sha256-modp2048
> >          ikelifetime=5h
> >          esp=aes256-sha256-modp2048
> >          keylife=4h
> >          rightsubnet=1.1.1.12/32
> > 
> > Cheers,
> > john
> > 
> >

More information about the Users mailing list