I have occasionally seen this over the years, and I am not certain if it’s anything I should be concerned about. If I start a tunnel named mytunnel, this is what it looks like on the CLI:
[root@mainoffice ~]# ipsec up mytunnel received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(1/4) ] received fragment #1 of 4, waiting for complete IKE message received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(2/4) ] received fragment #2 of 4, waiting for complete IKE message received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(3/4) ] received fragment #3 of 4, waiting for complete IKE message received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (212 bytes) parsed IKE_AUTH response 1 [ EF(4/4) ] received fragment #4 of 4, reassembling fragmented IKE message parsed IKE_AUTH response 1 [ IDr CERT AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] received end entity cert "C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com" using trusted ca certificate "C=US, ST=NH, L=mytunnel, O=MyCompany, OU=Engineering Dept, CN=MyCompany CA, E=t...@mycompany.com" checking certificate status of "C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com" certificate status is not available reached self-signed root ca with a path length of 0 using trusted certificate "C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com" authentication of 'C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com' with RSA_EMSA_PKCS1_SHA256 successful IKE_SA mytunnel[248] established between YYY.YYY.YYY.YYY[C=US, ST=NH, O=MyCompany, OU=Engineering Dept., CN=mainoffice.mycompany.com]...XXX.XXX.XXX.XXX[C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com] scheduling reauthentication in 27760s maximum IKE_SA lifetime 28300s CHILD_SA mytunnel{6530} established with SPIs c810ef9a_i cbe44831_o and TS 10.100.0.0/23 === 10.8.0.0/23 connection 'mytunnel' established successfully Then, if I look at the status output for that tunnel, I see two “INSTALLED” entries, even though the tunnel has only been established for 5 seconds. My understanding was that I should only have a new entry show up as “INSTALLED” every time the phase 2 settings are re-keyed, which is every one hour. [root@mainoffice ~]# ipsec status mytunnel Routed Connections: mytunnel{6454}: ROUTED, TUNNEL, reqid 181 mytunnel{6454}: 10.100.0.0/23 === 10.8.0.0/23 Security Associations (25 up, 0 connecting): mytunnel[248]: ESTABLISHED 5 seconds ago, YYY.YYY.YYY.YYY[C=US, ST=NH, O=MyCompany, OU=Engineering Dept., CN=mainoffice.mycompany.com]...XXX.XXX.XXX.XXX[C=US, ST=NH, O=MyCompany, OU=Engineering Dept, CN=remoteoffice.mycompany.com] mytunnel{6530}: INSTALLED, TUNNEL, reqid 181, ESP SPIs: c810ef9a_i cbe44831_o, IPCOMP CPIs: 0ff7_i 4f82_o mytunnel{6530}: 10.100.0.0/23 === 10.8.0.0/23 mytunnel{6531}: INSTALLED, TUNNEL, reqid 181, ESP SPIs: c9c5f628_i c768a908_o, IPCOMP CPIs: d873_i 177f_o mytunnel{6531}: 10.100.0.0/23 === 10.8.0.0/23 This is the entry for this tunnel in ipsec.conf: conn mytunnel left=YYY.YYY.YYY.YYY leftsubnet=10.100.0.0/23 leftfirewall=yes lefthostaccess=yes right=XXX.XXX.XXX.XXX rightsubnet=10.8.0.0/23 leftcert=/var/ipfire/certs/hostcert.pem rightcert=/var/ipfire/certs/remoteofficecert.pem leftid="@mainoffice.mycompany.com" rightid="@remoteoffice.mycompany.com" ike=aes256-sha2_512-ecp512bp! esp=aes256-sha2_512-ecp512bp! keyexchange=ikev2 ikelifetime=8h keylife=1h compress=yes dpdaction=clear dpddelay=30 dpdtimeout=120 authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert auto=route fragmentation=yes I don’t know if this is something I should be concerned about, or if it’s nothing to worry about , but I wanted to reach out and ask. Tom _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users