Hi, Please provide the output of `ipsec statusall` and logs that show the issue.
Kind regards Noel On 02.01.2018 16:36, Jeff wrote: > My ikev2 VPNs are accumulating duplicate IPSec SAs. > > Here are some of my high level requirements: > * "star" architecture: single central responder, multiple initiators. > * Initiators may have dynamic or NAT'ed IPs. > * Exactly one VPN between responder and each initiator. > * Each VPN is "always up" to allow access from responder to any > initiator at any time. > * Periodic IKEv2 reauthentication is required to enforce X.509 CRLs. > * Small outages during rekey, reauth are permissible. > > My config: > responder: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM. Config > attached. > initiators: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM. > Config attached. > > The issue: As time passes, I see multiple IPsec SAs accumulate between > responder and some initiators. > > Question: How to configure for exactly one VPN between responder and > each initiator? > > I suspect that adding a combination of > connections.<conn>.unique > and > charon.make_before_break > > settings will fix my issue. Currently I am using the default values for each. > > Advice on a config change to fix duplicate IPSec SAs is requested. > > > thanks, > Jeff
signature.asc
Description: OpenPGP digital signature
