On Tue, 10 Feb 2015 01:02:17 +0100
Noel Kuntze <[email protected]> wrote:
<SNIP>
This advice applies to all connections and is good
advice in general.
Thanks for the advice (specifically to set only one end of
the tunnel to dpdaction=restart), Noel. I have done this,
but I am still seeing multiple child SAs spring up:
[root@ipfire ~]# ipsec statusall HostB
Status of IKE charon daemon (strongSwan 5.2.0, Linux
3.10.44-ipfire, i686):
uptime: 17 hours, since Feb 11 19:30:06 2015
malloc: sbrk 525200, mmap 0, used 387408, free 137792
worker threads: 11 of 16 idle, 5/0/0/0 working, job
queue: 0/0/0/0, scheduled: 60
loaded plugins: charon curl aes des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt
fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke updown eap-identity
eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
10.100.0.1
IPA.DDR.ESS.A
IPA.DDR.ESS.A2
IPA.DDR.ESS.A3
10.100.1.1
Connections:
HostB: IPA.DDR.ESS.A...IPA.DDR.ESS.B IKEv2,
dpddelay=120s
HostB: local: [C=US, ST=UT, O=MyOrg, OU=Engineering
Dept, CN=MyOrg.com] uses public key authentication
HostB: cert: "C=US, ST=UT, O=MyOrg, OU=Engineering
Dept, CN=MyOrg.com"
HostB: remote: [C=US, ST=UT, O=MyOrg, OU=Engineering
Dept, CN=HostB.MyOrg.com] uses public key authentication
HostB: cert: "C=US, ST=UT, O=MyOrg, OU=Engineering
Dept, CN=HostB.MyOrg.com"
HostB: child: 10.100.0.0/23 === 10.2.0.0/16 TUNNEL,
dpdaction=clear
Routed Connections:
HostB{10}: ROUTED, TUNNEL
HostB{10}: 10.100.0.0/23 === 10.2.0.0/16
Security Associations (15 up, 0 connecting):
HostB[164]: ESTABLISHED 2 hours ago,
IPA.DDR.ESS.A[C=US, ST=UT, O=MyOrg, OU=Engineering Dept,
CN=MyOrg.com]...IPA.DDR.ESS.B[C=US, ST=UT, O=MyOrg,
OU=Engineering Dept, CN=HostB.MyOrg.com]
HostB[164]: IKEv2 SPIs: 1083250bd152df93_i
aa0b0cf822e2a48a_r*, public key reauthentication in 5
hours
HostB[164]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_512_BP
HostB{10}: INSTALLED, TUNNEL, ESP SPIs: ca493aee_i
cd5a7958_o, IPCOMP CPIs: b621_i e57d_o
HostB{10}: AES_CBC_256/HMAC_SHA2_256_128, 530419
bytes_i (3503 pkts, 0s ago), 1580851 bytes_o (3824 pkts,
0s ago), rekeying in 29 minutes
HostB{10}: 10.100.0.0/23 === 10.2.0.0/16
HostB{10}: INSTALLED, TUNNEL, ESP SPIs: c8746473_i
c4dd84bb_o, IPCOMP CPIs: 3ac6_i 3e51_o
HostB{10}: AES_CBC_256/HMAC_SHA2_256_128, 2917676
bytes_i (32813 pkts, 0s ago), 2781420 bytes_o (32677 pkts,
0s ago), rekeying in 31 minutes
HostB{10}: 10.100.0.0/23 === 10.2.0.0/16
HostB{10}: INSTALLED, TUNNEL, ESP SPIs: ca68d731_i
cbc5df84_o, IPCOMP CPIs: 1d57_i 6be8_o
HostB{10}: AES_CBC_256/HMAC_SHA2_256_128, 2658017
bytes_i (28452 pkts, 0s ago), 2816354 bytes_o (28267 pkts,
0s ago), rekeying in 38 minutes
HostB{10}: 10.100.0.0/23 === 10.2.0.0/16
Also, I noticed that these three Child SAs were all set to
expire and they all re-keyed. They will all stay open (and
even multiply) as long as the tunnel stays up. If I force
it down and then bring it back up, it will come back up
with only one SA, and others will show up on a seemingly
random basis. I had originally thought that a new SA was
created each time it rekeyed phase2, but there were three
before the last re-key and three after, so I am not
flummoxed.
Id this just normal behavior, or am I missing something?
The other side looks like this:
[root@HostB ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux
3.10.44-ipfire-pae, i686):
uptime: 10 days, since Feb 01 15:21:58 2015
malloc: sbrk 394896, mmap 0, used 242208, free 152688
worker threads: 11 of 16 idle, 5/0/0/0 working, job
queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aes des rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp
xcbc cmac hmac curl attr kernel-netlink resolve
socket-default farp stroke updown eap-identity
eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
10.2.0.1
IPA.DDR.ESS.B
Connections:
Data: IPA.DDR.ESS.B...IPA.DDR.ESS.A IKEv2,
dpddelay=120s
Data: local: [C=US, ST=UT, O=MyOrg,
OU=Engineering Dept, CN=HostB.MyOrg.com] uses public key
authentication
Data: cert: "C=US, ST=UT, O=MyOrg,
OU=Engineering Dept, CN=HostB.MyOrg.com"
Data: remote: [C=US, ST=UT, O=MyOrg,
OU=Engineering Dept, CN=MyOrg.com] uses public key
authentication
Data: cert: "C=US, ST=UT, O=MyOrg,
OU=Engineering Dept, CN=MyOrg.com"
Data: child: 10.2.0.0/16 === 10.100.0.0/23
TUNNEL, dpdaction=restart
Routed Connections:
Data{23}: ROUTED, TUNNEL
Data{23}: 10.2.0.0/16 === 10.100.0.0/23
Security Associations (1 up, 0 connecting):
Data[74]: ESTABLISHED 2 hours ago,
IPA.DDR.ESS.B[C=US, ST=UT, O=MyOrg, OU=Engineering Dept,
CN=HostB.MyOrg.com]...IPA.DDR.ESS.A[C=US, ST=UT, O=MyOrg,
OU=Engineering Dept, CN=MyOrg.com]
Data[74]: IKEv2 SPIs: 1083250bd152df93_i*
aa0b0cf822e2a48a_r, public key reauthentication in 4 hours
Data[74]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_512_BP
Data{23}: INSTALLED, TUNNEL, ESP SPIs:
cd5a7958_i ca493aee_o, IPCOMP CPIs: e57d_i b621_o
Data{23}: AES_CBC_256/HMAC_SHA2_256_128, 1580851
bytes_i (3824 pkts, 0s ago), 530419 bytes_o (3503 pkts, 0s
ago), rekeying in 8 minutes
Data{23}: 10.2.0.0/16 === 10.100.0.0/23
Data{23}: INSTALLED, TUNNEL, ESP SPIs:
c4dd84bb_i c8746473_o, IPCOMP CPIs: 3e51_i 3ac6_o
Data{23}: AES_CBC_256/HMAC_SHA2_256_128, 2781300
bytes_i (32675 pkts, 0s ago), 2917676 bytes_o (32813 pkts,
0s ago), rekeying in 11 minutes
Data{23}: 10.2.0.0/16 === 10.100.0.0/23
Data{23}: INSTALLED, TUNNEL, ESP SPIs:
cbc5df84_i ca68d731_o, IPCOMP CPIs: 6be8_i 1d57_o
Data{23}: AES_CBC_256/HMAC_SHA2_256_128,
11157640 bytes_i (99787 pkts, 0s ago), 9056257 bytes_o
(99744 pkts, 0s ago), rekeying in 14 minutes
Data{23}: 10.2.0.0/16 === 10.100.0.0/23
Furthermore, please take care to always address the list
as well, not just me.
Yes, my apologies, I am accustomed to lists that
automatically set the reply-to address to be the list.
Tom
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
