Hello Vinay, your rekeying parameters are most unusual:
keylife=300s rekeymargin=180s rekeyfuzz=50% This means that Quick Mode rekeying starts between 300s - 1.5*180s = 30s and 300s - 180s = 120s after the establishment of an IPsec SA with an expected mean value of 300s - 1.25*180s = 75s. This gives the following rekeying schedule: Time Quick Mode 0s SA#1 75s SA#2 (rekeying of SA#1) 150s SA#3 (rekeying of SA#2) 225s SA#4 (rekeying of SA#3) 300s SA#1 expires and is deleted 300s SA#5 (rekeying of SA#4) As you can easily see, 4 concurrent IPsec SAs are to be expected with your rekeying settings. Best regards Andreas On 13.06.2012 12:55, [email protected] wrote: > Hi, > > I am facing a issue with IKEv1 where multiple IPSec SAs are seen for > same tunnel. > I had setup two Linux PC with strongswan 4.6.2 and with below > configurations. Have also attached plutologs of both the PC's. > > I would really appreciate some help. > > Thanks, > Vinay > > *PC1:* > [root@linuxpc2 etc]# cat ipsec.conf > config setup > plutostart=yes > plutodebug=controlmore > nat_traversal=no > uniqueids=no > charonstart=yes > plutostderrlog=/tmp/plutolog.txt > charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, > enc 1, lib 1" > > ca rootca0 > cacert=cacert.pem > auto=start > > conn %default > leftcert=/usr/local/etc/ipsec.d/certs/bts_cert.pem > auto=start > pfs=no > keyingtries=%forever > forceencaps=no > mobike=no > > conn conn100 > type=tunnel > leftsubnet=10.10.10.6/24 > rightsubnet=10.10.10.7/24 > left=10.10.10.6 > right=10.10.10.7 > keyexchange=ikev1 > reauth=no > ike=3des-sha1-modp1024! > ikelifetime=83376s > esp=3des-sha1! > authby=pubkey > rightid=%any > keylife=300s > dpdaction=restart > dpddelay=10s > dpdtimeout=120s > rekeyfuzz=50% > rekeymargin=180s > leftprotoport=1 > rightprotoport=1 > *PC2:* > [root@Fed14 etc]# cat ipsec.conf > config setup > plutostart=yes > plutodebug=none > nat_traversal=no > uniqueids=no > charonstart=yes > plutostderrlog=/tmp/plutolog.txt > charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 2, knl 1, net 1, > enc 2, lib 1" > > ca rootca0 > cacert=cacert.pem > > conn %default > leftcert=/etc/ipsec.d/certs/oms_cert.pem > auto=add > pfs=no > keyingtries=%forever > forceencaps=no > mobike=no > > conn conn502 > type=tunnel > leftsubnet=10.10.10.7/24 > rightsubnet=10.10.10.6/24 > left=10.10.10.7 > right=10.10.10.6 > keyexchange=ikev1 > reauth=no > ike=3des-sha1-modp1024! > ikelifetime=83376s > esp=3des-sha1! > authby=pubkey > rightid=%any > keylife=86400s > dpdaction=restart > dpddelay=10s > dpdtimeout=120s > rekeyfuzz=50% > rekeymargin=180s > leftprotoport=1 > rightprotoport=1 > > *Statusall of PC1:* > [root@linuxpc2 etc]# ipsec statusall > 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2): > 000 interface lo/lo ::1:500 > 000 interface lo/lo 127.0.0.1:500 > 000 interface eth1/eth1 10.10.10.6:500 > 000 interface eth2/eth2 10.125.40.64:500 > 000 interface virbr0/virbr0 192.168.122.1:500 > 000 %myid = '%any' > 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp > dnskey pem gmp hmac xauth attr kernel-netlink resolve > 000 debug options: controlmore > 000 > 000 "conn100": 10.10.10.0/24===10.10.10.6[C=IN, ST=BLR, O=Wipro > Technologies, OU=RA, > CN=ftm]:1/0...10.10.10.7[10.10.10.7]:1/0===10.10.10.0/24; erouted; > eroute owner: #6 > 000 "conn100": CAs: "O=Wipro Technologies, OU=RA, > [email protected] <mailto:[email protected]>, L=BLR, > ST=BLR, C=IN, CN=NSN ODC Test CA"...%any > 000 "conn100": ike_life: 83376s; ipsec_life: 300s; rekey_margin: 180s; > rekey_fuzz: 50%; keyingtries: 0 > 000 "conn100": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s; > 000 "conn100": policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24; > interface: eth1; > 000 "conn100": newest ISAKMP SA: #1; newest IPsec SA: #6; > 000 "conn100": IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024 > 000 "conn100": ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A> > 000 > 000 #6: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_REPLACE in 70s; newest IPSEC; eroute owner > 000 #6: "conn100" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #5: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_EXPIRE in 231s > 000 #5: "conn100" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #4: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_EXPIRE in 185s > 000 #4: "conn100" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #3: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_EXPIRE in 138s > 000 #3: "conn100" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #2: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_EXPIRE in 85s > 000 #2: "conn100" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #1: "conn100" STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_REPLACE in 82911s; newest ISAKMP; DPD active > 000 > Status of IKEv2 charon daemon (strongSwan 4.6.2): > uptime: 3 minutes, since Jun 13 15:39:21 2012 > malloc: sbrk 135168, mmap 0, used 76544, free 58624 > worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: aes des sha1 sha2 md5 random x509 revocation > constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr > kernel-netlink resolve socket-raw stroke updown > Listening IP addresses: > 10.10.10.6 > 10.125.40.64 > 192.168.122.1 > Connections: > Security Associations (0 up, 0 connecting): > none > > *Statusall of PC2:* > [root@Fed14 etc]# ipsec statusall > 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2): > 000 interface lo/lo ::1:500 > 000 interface lo/lo 127.0.0.1:500 > 000 interface eth1/eth1 10.10.10.7:500 > 000 interface eth0/eth0 10.125.47.47:500 > 000 interface eth2/eth2 20.20.20.2:500 > 000 interface eth1.400/eth1.400 12.1.1.10:500 > 000 interface eth1.500/eth1.500 16.1.1.10:500 > 000 interface eth2.400/eth2.400 11.1.1.1:500 > 000 interface eth2.500/eth2.500 22.1.1.1:500 > 000 %myid = '%any' > 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp > dnskey pem gmp hmac xauth attr kernel-netlink resolve > 000 debug options: none > 000 > 000 "conn502": 10.10.10.0/24===10.10.10.7[C=IN, ST=BLR, O=Wipro > Technologies, OU=RA, > CN=oms]:1/0...10.10.10.6[10.10.10.6]:1/0===10.10.10.0/24; erouted; > eroute owner: #6 > 000 "conn502": CAs: "O=Wipro Technologies, OU=RA, > [email protected] <mailto:[email protected]>, L=BLR, > ST=BLR, C=IN, CN=NSN ODC Test CA"...%any > 000 "conn502": ike_life: 83376s; ipsec_life: 86400s; rekey_margin: > 180s; rekey_fuzz: 50%; keyingtries: 0 > 000 "conn502": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s; > 000 "conn502": policy: PUBKEY+ENCRYPT+TUNNEL; prio: 24,24; interface: > eth1; > 000 "conn502": newest ISAKMP SA: #1; newest IPsec SA: #6; > 000 "conn502": IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024 > 000 "conn502": ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A> > 000 > 000 #6: "conn502" STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 202s; newest IPSEC; eroute owner > 000 #6: "conn502" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #5: "conn502" STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 149s > 000 #5: "conn502" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #4: "conn502" STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 103s > 000 #4: "conn502" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #3: "conn502" STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 55s > 000 #3: "conn502" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #2: "conn502" STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 3s > 000 #2: "conn502" [email protected] > <mailto:[email protected]> (0 bytes) [email protected] > <mailto:[email protected]> (0 bytes); tunnel > 000 #1: "conn502" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); > EVENT_SA_REPLACE in 83079s; newest ISAKMP; DPD active > 000 > Status of IKEv2 charon daemon (strongSwan 4.6.2): > uptime: 3 minutes, since Jun 13 15:40:12 2012 > malloc: sbrk 135168, mmap 0, used 81296, free 53872 > worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: aes des sha1 sha2 md5 random x509 revocation > constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr > kernel-netlink resolve socket-raw stroke updown > Listening IP addresses: > 10.10.10.7 > 10.125.47.47 > 20.20.20.2 > 12.1.1.10 > 16.1.1.10 > 11.1.1.1 > 22.1.1.1 > Connections: > Security Associations (0 up, 0 connecting): > none > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
