Re: [strongSwan] IKEv1 strongswan status showing multiple IPSec SAs for the same tunnel

[vinay.prabhakar]

Hi  Andreas,

Thank you for the reply. 

If this is case how is it different from IKEv2 ? 
With same configurations but in IKEv2, multiple SA are not seen.

Thanks and Regards,
Vinay 

-----Original Message-----
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 
Sent: Wednesday, June 13, 2012 4:50 PM
To: Vinay Prabhakar M (WT01 - GMT-Telecom Equipment)
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] IKEv1 strongswan status showing multiple IPSec SAs 
for the same tunnel

Hello Vinay,

your rekeying parameters are most unusual:

  keylife=300s
  rekeymargin=180s
  rekeyfuzz=50%

This means that Quick Mode rekeying starts between

  300s - 1.5*180s = 30s and 300s - 180s = 120s

after the establishment of an IPsec SA with an expected mean value of 300s - 
1.25*180s = 75s.

This gives the following rekeying schedule:

Time  Quick Mode
  0s  SA#1
 75s  SA#2  (rekeying of SA#1)
150s  SA#3  (rekeying of SA#2)
225s  SA#4  (rekeying of SA#3)
300s  SA#1  expires and is deleted
300s  SA#5  (rekeying of SA#4)

As you can easily see, 4 concurrent IPsec SAs are to be expected with your 
rekeying settings.

Best regards

Andreas

On 13.06.2012 12:55, vinay.prabha...@wipro.com wrote:
> Hi,
>  
> I am facing a issue with IKEv1 where multiple IPSec SAs are seen for 
> same tunnel.
> I had setup two Linux PC with strongswan 4.6.2 and with below 
> configurations. Have also attached plutologs  of both the PC's.
>  
> I would really appreciate some help.
>  
> Thanks,
> Vinay
>  
> *PC1:*
> [root@linuxpc2 etc]# cat ipsec.conf
> config setup
>   plutostart=yes
>   plutodebug=controlmore
>   nat_traversal=no
>   uniqueids=no
>   charonstart=yes
>   plutostderrlog=/tmp/plutolog.txt
>   charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, 
> enc 1, lib 1"
>  
> ca rootca0
>   cacert=cacert.pem
>   auto=start
>  
> conn %default
>   leftcert=/usr/local/etc/ipsec.d/certs/bts_cert.pem
>   auto=start
>   pfs=no
>   keyingtries=%forever
>   forceencaps=no
>   mobike=no
>  
> conn conn100
>   type=tunnel
>   leftsubnet=10.10.10.6/24
>   rightsubnet=10.10.10.7/24
>   left=10.10.10.6
>   right=10.10.10.7
>   keyexchange=ikev1
>   reauth=no 
>   ike=3des-sha1-modp1024!
>   ikelifetime=83376s
>   esp=3des-sha1!
>   authby=pubkey
>   rightid=%any
>   keylife=300s
>   dpdaction=restart
>   dpddelay=10s
>   dpdtimeout=120s
>   rekeyfuzz=50%
>   rekeymargin=180s
>   leftprotoport=1
>   rightprotoport=1
> *PC2:*
> [root@Fed14 etc]# cat ipsec.conf
> config setup
>   plutostart=yes
>   plutodebug=none
>   nat_traversal=no
>   uniqueids=no
>   charonstart=yes
>   plutostderrlog=/tmp/plutolog.txt
>   charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 2, knl 1, net 1, 
> enc 2, lib 1"
>  
> ca rootca0
>   cacert=cacert.pem
>  
> conn %default
>   leftcert=/etc/ipsec.d/certs/oms_cert.pem
>   auto=add
>   pfs=no
>   keyingtries=%forever
>   forceencaps=no
>   mobike=no
>  
> conn conn502
>   type=tunnel
>   leftsubnet=10.10.10.7/24
>   rightsubnet=10.10.10.6/24
>   left=10.10.10.7
>   right=10.10.10.6
>   keyexchange=ikev1
>  reauth=no
>   ike=3des-sha1-modp1024!
>   ikelifetime=83376s
>   esp=3des-sha1!
>   authby=pubkey
>   rightid=%any
>   keylife=86400s
>   dpdaction=restart
>   dpddelay=10s
>   dpdtimeout=120s
>   rekeyfuzz=50%
>   rekeymargin=180s
>   leftprotoport=1
>   rightprotoport=1
>  
> *Statusall of PC1:*
> [root@linuxpc2 etc]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth1/eth1 10.10.10.6:500 000 interface eth2/eth2 
> 10.125.40.64:500 000 interface virbr0/virbr0 192.168.122.1:500 000 
> %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp 
> dnskey pem gmp hmac xauth attr kernel-netlink resolve 000 debug 
> options: controlmore 000 000 "conn100": 
> 10.10.10.0/24===10.10.10.6[C=IN, ST=BLR, O=Wipro Technologies, OU=RA, 
> CN=ftm]:1/0...10.10.10.7[10.10.10.7]:1/0===10.10.10.0/24; erouted; 
> eroute owner: #6
> 000 "conn100":   CAs: "O=Wipro Technologies, OU=RA,
> E=karanjot.si...@wipro.com <mailto:E=karanjot.si...@wipro.com>, L=BLR, 
> ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
> 000 "conn100":   ike_life: 83376s; ipsec_life: 300s; rekey_margin: 180s;
> rekey_fuzz: 50%; keyingtries: 0
> 000 "conn100":   dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
> 000 "conn100":   policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24;
> interface: eth1;
> 000 "conn100":   newest ISAKMP SA: #1; newest IPsec SA: #6;
> 000 "conn100":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000 "conn100":   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
> 000
> 000 #6: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA established); 
> EVENT_SA_REPLACE in 70s; newest IPSEC; eroute owner 000 #6: "conn100" 
> esp.cd1fefd2@10.10.10.7 <mailto:esp.cd1fefd2@10.10.10.7> (0 bytes) 
> esp.c361a998@10.10.10.6 <mailto:esp.c361a998@10.10.10.6> (0 bytes); 
> tunnel 000 #5: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 231s 000 #5: "conn100" 
> esp.c1c20f9a@10.10.10.7 <mailto:esp.c1c20f9a@10.10.10.7> (0 bytes) 
> esp.c9efac8d@10.10.10.6 <mailto:esp.c9efac8d@10.10.10.6> (0 bytes); 
> tunnel 000 #4: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 185s 000 #4: "conn100" 
> esp.c1a2c0d0@10.10.10.7 <mailto:esp.c1a2c0d0@10.10.10.7> (0 bytes) 
> esp.c9adba01@10.10.10.6 <mailto:esp.c9adba01@10.10.10.6> (0 bytes); 
> tunnel 000 #3: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 138s 000 #3: "conn100" 
> esp.c96eb76e@10.10.10.7 <mailto:esp.c96eb76e@10.10.10.7> (0 bytes) 
> esp.c2df58a4@10.10.10.6 <mailto:esp.c2df58a4@10.10.10.6> (0 bytes); 
> tunnel 000 #2: "conn100" STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_EXPIRE in 85s 000 #2: "conn100" 
> esp.c29abdd9@10.10.10.7 <mailto:esp.c29abdd9@10.10.10.7> (0 bytes) 
> esp.c11e8f13@10.10.10.6 <mailto:esp.c11e8f13@10.10.10.6> (0 bytes); 
> tunnel 000 #1: "conn100" STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 82911s; newest ISAKMP; DPD active 000 Status of 
> IKEv2 charon daemon (strongSwan 4.6.2):
>   uptime: 3 minutes, since Jun 13 15:39:21 2012
>   malloc: sbrk 135168, mmap 0, used 76544, free 58624
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: aes des sha1 sha2 md5 random x509 revocation 
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr 
> kernel-netlink resolve socket-raw stroke updown Listening IP 
> addresses:
>   10.10.10.6
>   10.125.40.64
>   192.168.122.1
> Connections:
> Security Associations (0 up, 0 connecting):
>   none
>  
> *Statusall of PC2:*
> [root@Fed14 etc]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth1/eth1 10.10.10.7:500 000 interface eth0/eth0 
> 10.125.47.47:500 000 interface eth2/eth2 20.20.20.2:500 000 interface 
> eth1.400/eth1.400 12.1.1.10:500 000 interface eth1.500/eth1.500 
> 16.1.1.10:500 000 interface eth2.400/eth2.400 11.1.1.1:500 000 
> interface eth2.500/eth2.500 22.1.1.1:500 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp 
> dnskey pem gmp hmac xauth attr kernel-netlink resolve 000 debug 
> options: none 000 000 "conn502": 10.10.10.0/24===10.10.10.7[C=IN, 
> ST=BLR, O=Wipro Technologies, OU=RA, 
> CN=oms]:1/0...10.10.10.6[10.10.10.6]:1/0===10.10.10.0/24; erouted; 
> eroute owner: #6
> 000 "conn502":   CAs: "O=Wipro Technologies, OU=RA,
> E=karanjot.si...@wipro.com <mailto:E=karanjot.si...@wipro.com>, L=BLR, 
> ST=BLR, C=IN, CN=NSN ODC Test CA"...%any
> 000 "conn502":   ike_life: 83376s; ipsec_life: 86400s; rekey_margin:
> 180s; rekey_fuzz: 50%; keyingtries: 0
> 000 "conn502":   dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
> 000 "conn502":   policy: PUBKEY+ENCRYPT+TUNNEL; prio: 24,24; interface:
> eth1;
> 000 "conn502":   newest ISAKMP SA: #1; newest IPsec SA: #6;
> 000 "conn502":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000 "conn502":   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
> 000
> 000 #6: "conn502" STATE_QUICK_R2 (IPsec SA established); 
> EVENT_SA_REPLACE in 202s; newest IPSEC; eroute owner 000 #6: "conn502" 
> esp.c361a998@10.10.10.6 <mailto:esp.c361a998@10.10.10.6> (0 bytes) 
> esp.cd1fefd2@10.10.10.7 <mailto:esp.cd1fefd2@10.10.10.7> (0 bytes); 
> tunnel 000 #5: "conn502" STATE_QUICK_R2 (IPsec SA established); 
> EVENT_SA_REPLACE in 149s 000 #5: "conn502" esp.c9efac8d@10.10.10.6 
> <mailto:esp.c9efac8d@10.10.10.6> (0 bytes) esp.c1c20f9a@10.10.10.7 
> <mailto:esp.c1c20f9a@10.10.10.7> (0 bytes); tunnel 000 #4: "conn502" 
> STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 103s 000 
> #4: "conn502" esp.c9adba01@10.10.10.6 <mailto:esp.c9adba01@10.10.10.6> 
> (0 bytes) esp.c1a2c0d0@10.10.10.7 <mailto:esp.c1a2c0d0@10.10.10.7> (0 
> bytes); tunnel 000 #3: "conn502" STATE_QUICK_R2 (IPsec SA 
> established); EVENT_SA_REPLACE in 55s 000 #3: "conn502" 
> esp.c2df58a4@10.10.10.6 <mailto:esp.c2df58a4@10.10.10.6> (0 bytes) 
> esp.c96eb76e@10.10.10.7 <mailto:esp.c96eb76e@10.10.10.7> (0 bytes); 
> tunnel 000 #2: "conn502" STATE_QUICK_R2 (IPsec SA established); 
> EVENT_SA_REPLACE in 3s 000 #2: "conn502" esp.c11e8f13@10.10.10.6 
> <mailto:esp.c11e8f13@10.10.10.6> (0 bytes) esp.c29abdd9@10.10.10.7 
> <mailto:esp.c29abdd9@10.10.10.7> (0 bytes); tunnel 000 #1: "conn502" 
> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 
> 83079s; newest ISAKMP; DPD active 000 Status of IKEv2 charon daemon 
> (strongSwan 4.6.2):
>   uptime: 3 minutes, since Jun 13 15:40:12 2012
>   malloc: sbrk 135168, mmap 0, used 81296, free 53872
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: aes des sha1 sha2 md5 random x509 revocation 
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr 
> kernel-netlink resolve socket-raw stroke updown Listening IP 
> addresses:
>   10.10.10.7
>   10.125.47.47
>   20.20.20.2
>   12.1.1.10
>   16.1.1.10
>   11.1.1.1
>   22.1.1.1
> Connections:
> Security Associations (0 up, 0 connecting):
>   none
>
======================================================================
Andreas Steffen                         andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied 
Sciences Rapperswil CH-8640 Rapperswil (Switzerland) 
===========================================================[ITA-HSR]==


Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email. 

www.wipro.com

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users