======= =========
========
| AP | <====================> | router|<====================> | GW |
======= =========
========
First all, CHILD_SA fap-psk is established between AP and GW. And the GW show
me such message:
******************************************************
Jan 31 19:44:47 (none) daemon.info charon: 78[IKE] CHILD_SA fap-psk{3}
established with SPIs ca0b653f_i c1c43dbb_o and TS 10.1.0.0/16 172.16.15.0/24
=== 10.23.100.1/32
Jan 31 19:44:47 (none) authpriv.info charon: 78[IKE] CHILD_SA fap-psk{3}
established with SPIs ca0b653f_i c1c43dbb_o and TS 10.1.0.0/16 172.16.15.0/24
=== 10.23.100.1/32
******************************************************
Then, I let the AP restart. I found the IPsec tunnel could not be established
as usual. And I check the message of GW:
******************************************************
Jan 31 19:49:18 (none) daemon.info charon: 130[KNL] unable to add SAD entry
with SPI c1c43dbb: File exists (17)
Jan 31 19:49:18 (none) daemon.info charon: 130[IKE] unable to install outbound
IPsec SA (SAD) in kernel
******************************************************
The SPI c1c43dbb is the same with last time.
But a minute later, the AP send init packet for IPsec again. This time, they
can establish IPsec tunnel with another SPI.
And my questions are:
1, After being restarted, is the AP sending the same SPI allowed?
2,Why they could not establish IPsec tunnel with the same SPI?
3, can they not establish IPsec tunnel all the time, If the AP always send the
same SPI to GW ? How to avoid this situation?
thx~~
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
