Re: [strongSwan] Multiple IKE SA between same pair of address

[Noel Kuntze]

Hi,

Set uniqueids = no in config setup.
Better, use swanctl.conf with swanctl. There, you can set it per conn and not 
globally.

Kind regards

Noel

On 06.01.2018 01:15, Jun Hu wrote:
> Hi,
> Does strongswan support multiple IKE SA (each with its own CHILD_SA) between 
> single pair of address?
> it seems strongswan only allow one IKE SA per pair of address
>
> I am using strongswan 5.5.0, inter-op with a IKEv2 client that I wrote (for 
> learning purpose) , my client is the tunnel initiator, when I only creates 
> one IKE SA (along with one CHILD_SA), everything is good;
> but when my client try to create 2nd CHILD_SA (using IKE_SA_INIT and IKE_AUTH 
> exchange, not rekey) using same addresses,the 2nd IKE and CHILD SA were 
> created successfully at the beginning, but after a few seconds, strongswan 
> send a delete msg to delete the 1st IKE_SA
>
> I also tried to set charon.reuse_ikesa to no, but same result
>
> I checked strongswan logs, it doesn't say why it deletes 1st IKE SA:
> root@vm-svr:/usr/local/etc# ipsec status
> Security Associations (2 up, 0 connecting):
>          l2l[2]: ESTABLISHED 9 seconds ago, 
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
>          l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i 3f174706_o
>          l2l{2}:   10.10.10.1/32 <http://10.10.10.1/32> === 1.1.1.2/32 
> <http://1.1.1.2/32>
>          l2l[1]: ESTABLISHED 19 seconds ago, 
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
>          l2l{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5a49fd_i 617a4971_o
>          l2l{1}:   10.10.10.1/32 <http://10.10.10.1/32> === 1.1.1.1/32 
> <http://1.1.1.1/32>
> root@vm-svr:/usr/local/etc# ipsec status
> Security Associations (1 up, 0 connecting):
>          l2l[2]: ESTABLISHED 10 seconds ago, 
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
>          l2l{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i 3f174706_o
>          l2l{2}:   10.10.10.1/32 <http://10.10.10.1/32> === 1.1.1.2/32 
> <http://1.1.1.2/32>
>
>
>
> part of the log:
> .....
> Jan  5 15:50:21 06[MGR] <l2l|2> checkout IKEv2 SA with SPIs 
> 2c79130e38a24598_i c530ad0d0f1a47f0_r
> Jan  5 15:50:21 06[MGR] <l2l|2> IKE_SA l2l[1] successfully checked out
> Jan  5 15:50:21 06[MGR] <l2l|1> checkin IKE_SA l2l[1]
> Jan  5 15:50:21 06[MGR] <l2l|1> checkin of IKE_SA successful
> Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] established between 
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> Jan  5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] state change: CONNECTING => 
> ESTABLISHED
> Jan  5 15:50:21 06[IKE] <l2l|2> scheduling rekeying in 490s
> Jan  5 15:50:21 06[IKE] <l2l|2> maximum IKE_SA lifetime 500s
> Jan  5 15:50:21 06[KNL] <l2l|2> got SPI c1aab5fc
> Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI c1aab5fc and reqid 
> {2}
> Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm AES_CBC with key 
> size 128
> Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm HMAC_SHA1_96 with 
> key size 160
> Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 32 packets
> Jan  5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI 3f174706 and reqid 
> {2}
> Jan  5 15:50:21 06[KNL] <l2l|2>   using encryption algorithm AES_CBC with key 
> size 128
> Jan  5 15:50:21 06[KNL] <l2l|2>   using integrity algorithm HMAC_SHA1_96 with 
> key size 160
> Jan  5 15:50:21 06[KNL] <l2l|2>   using replay window of 0 packets
> Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 
> <http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> out [priority 
> 383616, refcount 1]
> Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 <http://1.1.1.2/32> 
> === 10.10.10.1/32 <http://10.10.10.1/32> in [priority 383616, refcount 1]
> Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 <http://1.1.1.2/32> 
> === 10.10.10.1/32 <http://10.10.10.1/32> fwd [priority 383616, refcount 1]
> Jan  5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 
> <http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> fwd [priority 
> 383616, refcount 1]
> Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 <http://10.10.10.1/32> 
> === 1.1.1.2/32 <http://1.1.1.2/32> out already exists, increasing refcount
> Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 
> <http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> out [priority 
> 183616, refcount 2]
> Jan  5 15:50:21 06[KNL] <l2l|2> getting a local address in traffic selector 
> 10.10.10.1/32 <http://10.10.10.1/32>
> Jan  5 15:50:21 06[KNL] <l2l|2> using host 10.10.10.1
> Jan  5 15:50:21 06[KNL] <l2l|2> getting iface name for index 4
> Jan  5 15:50:21 06[KNL] <l2l|2> using 10.10.10.20 as nexthop and eth2 as dev 
> to reach 10.10.10.20/32 <http://10.10.10.20/32>
> Jan  5 15:50:21 06[KNL] <l2l|2> installing route: 1.1.1.2/32 
> <http://1.1.1.2/32> via 10.10.10.20 src 10.10.10.1 dev eth2
> Jan  5 15:50:21 06[KNL] <l2l|2> getting iface index for eth2
> Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 <http://1.1.1.2/32> === 
> 10.10.10.1/32 <http://10.10.10.1/32> in already exists, increasing refcount
> Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 
> <http://1.1.1.2/32> === 10.10.10.1/32 <http://10.10.10.1/32> in [priority 
> 183616, refcount 2]
> Jan  5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 <http://1.1.1.2/32> === 
> 10.10.10.1/32 <http://10.10.10.1/32> fwd already exists, increasing refcount
> Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 
> <http://1.1.1.2/32> === 10.10.10.1/32 <http://10.10.10.1/32> fwd [priority 
> 183616, refcount 2]
> Jan  5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 <http://10.10.10.1/32> 
> === 1.1.1.2/32 <http://1.1.1.2/32> fwd already exists, increasing refcount
> Jan  5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 
> <http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> fwd [priority 
> 283616, refcount 2]
> Jan  5 15:50:21 06[IKE] <l2l|2> CHILD_SA l2l{2} established with SPIs 
> c1aab5fc_i 3f174706_o and TS 10.10.10.1/32 <http://10.10.10.1/32> === 
> 1.1.1.2/32 <http://1.1.1.2/32>
> Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI c1aab5fc
> Jan  5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI 3f174706
> Jan  5 15:50:21 06[KNL] <l2l|2> 10.10.10.1 is on interface eth2
> Jan  5 15:50:21 06[ENC] <l2l|2> generating IKE_AUTH response 1 [ IDr AUTH SA 
> TSi TSr ]
> Jan  5 15:50:21 06[NET] <l2l|2> sending packet: from 10.10.10.1[500] to 
> 10.10.10.20[500] (204 bytes)
> Jan  5 15:50:21 06[MGR] <l2l|2> checkin IKE_SA l2l[2]
> Jan  5 15:50:21 06[MGR] <l2l|2> checkin of IKE_SA successful
> Jan  5 15:50:31 05[MGR] checkout IKEv2 SA with SPIs 2c79130e38a24598_i 
> c530ad0d0f1a47f0_r
> Jan  5 15:50:31 05[MGR] IKE_SA l2l[1] successfully checked out
> Jan  5 15:50:31 05[IKE] <l2l|1> queueing IKE_DELETE task
> Jan  5 15:50:31 05[IKE] <l2l|1> activating new tasks
> Jan  5 15:50:31 05[IKE] <l2l|1>   activating IKE_DELETE task
> Jan  5 15:50:31 05[IKE] <l2l|1> deleting IKE_SA l2l[1] between 
> 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1]
> Jan  5 15:50:31 05[IKE] <l2l|1> IKE_SA l2l[1] state change: ESTABLISHED => 
> DELETING
> Jan  5 15:50:31 05[IKE] <l2l|1> sending DELETE for IKE_SA l2l[1]
> Jan  5 15:50:31 05[ENC] <l2l|1> generating INFORMATIONAL request 0 [ D ]
> Jan  5 15:50:31 05[NET] <l2l|1> sending packet: from 10.10.10.1[500] to 
> 10.10.10.20[500] (76 bytes)
> Jan  5 15:50:31 05[MGR] <l2l|1> checkin IKE_SA l2l[1]
> Jan  5 15:50:31 05[MGR] <l2l|1> checkin of IKE_SA successful
> Jan  5 15:50:31 13[MGR] checkout IKEv2 SA by message with SPIs 
> 2c79130e38a24598_i c530ad0d0f1a47f0_r
> Jan  5 15:50:31 13[MGR] IKE_SA l2l[1] successfully checked out
>
> ===ipsec.conf===
> conn %default
>         keyexchange=ikev2
>         mobike = no
>         reauth=no
>
> conn l2l
> ikelifetime=500s
> margintime=10s
> rekeyfuzz=0%
> ike=aes128-sha1-modp2048!
> esp=aes128-sha1
> authby=psk
>         leftfirewall=yes
> rightsubnet=1.0.0.0/8 <http://1.0.0.0/8>
>         auto=add
>
>

signature.asc
Description: OpenPGP digital signature