Hi Jegathesh, IKEv2 RFC 5996 allows for multiple Child SAs having the same traffic selectors. If you define two connections having identical traffic selectors then this is your own personal choice and we are not going to prevent you from doing this.
Regards Andreas On 02/09/2013 04:31 PM, jegathesh malaiyappan wrote: > Hi All, > > *Version:* strongSwan 4.5.3 > > strongswan is creating duplicate SA connection if we are adding the same > connection in *ipsec.conf* file. why strongswan is allowing duplicate > connection? Can't avoid this in strongswan? Please clarify on this. > > ipsec.conf: > ======== > *conn conn1* > type=tunnel > leftsubnet=2.2.2.2/24 <http://2.2.2.2/24> > rightsubnet=10.10.10.11/24 <http://10.10.10.11/24> > left=192.167.10.12 > right=192.167.3.2 > keyexchange=ikev2 > reauth=no > ike=aes128-sha1-modp1024,3des-sha1-modp1024! > ikelifetime=83111s > esp=aes128-sha1,3des-sha1! > authby=pubkey > rightid=%any > leftid="192.168.255.129" > keylife=86400s > dpdaction=restart > dpddelay=10 > dpdtimeout=120 > rekeyfuzz=50% > rekeymargin=180s > > *conn conn2* > type=tunnel > leftsubnet=2.2.2.2/24 <http://2.2.2.2/24> > rightsubnet=10.10.10.11/24 <http://10.10.10.11/24> > left=192.167.10.12 > right=192.167.3.2 > keyexchange=ikev2 > reauth=no > ike=aes128-sha1-modp1024,3des-sha1-modp1024! > ikelifetime=83111s > esp=aes128-sha1,3des-sha1! > authby=pubkey > rightid=%any > leftid="192.168.255.129" > keylife=86400s > dpdaction=restart > dpddelay=10 > dpdtimeout=120 > rekeyfuzz=50% > rekeymargin=180s > > > Connection Details: > =============== > Security Associations (1 up, 0 connecting): > conn1[202]: ESTABLISHED 3 minutes ago, > 192.167.10.12[192.168.255.129]...192.167.3.2 > conn1[202]: IKE SPIs: 8844db848d42913e_i 19c2afa035743af9_r*, > rekeying in 22 hours > conn1[202]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > conn1{475}: INSTALLED, TUNNEL, ESP SPIs: c5cec271_i c62d9719_o > conn1{475}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, > rekeying in 23 hours > conn1{475}: 2.2.2.0/24 <http://2.2.2.0/24> === 10.10.10.0/24 > <http://10.10.10.0/24> > conn2{476}: INSTALLED, TUNNEL, ESP SPIs: cdc16950_i c8c47f0d_o > conn2{476}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, > rekeying in 23 hours > conn2{476}: 2.2.2.0/24 <http://2.2.2.0/24> === 10.10.10.0/24 > <http://10.10.10.0/24> > > > Thanks. > Jegathesh ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
