Hi,
SetupI have one IKE Responder and two IKE initiators (with different
identities) which are able to establish IKE SA with the responder
successfully.VersionstrongSwan 5.7.2dr2 swanctl
IssueI want to establish additional CHILD_SA for each of these IKE-SA
initiators from ResponderHowever, both initiators IKE entries are assigned same
connection name "net-net". In my ipsec.conf settings, connection name is given
"net-net". My problem is that when I initiate CHILD_SA using swanctl --initiate
command, then I cannot identify separate IKE-SAs as both are assigned same name
by Charon daemon.
Please find output of command and ipsec.conf in the attached file.
Queries1. How to configure Responder to have each entry as separate connection
name? I know I can define separate conn name configuration in .conf file but if
I have 100K of connections then it will lead to big .conf file, which is
difficult to manage.1. Can I dynamically load only child configuration using
"load_conn" command and then initiate CHILD_SA for that particular child with
the child name. I also tried to use GoVICI interface to load configurations
(with same connection name) using load_conn command but it created new entry
rather than updating existing one.
Warm Regards,Pankaj
swanctl --list-sas --pretty --raw
list-sa event {
net-net {
uniqueid = 2
version = 2
state = ESTABLISHED
local-host = 10.10.1.2
local-port = 500
local-id = server.strongswan.org
remote-host = 10.200.200.110
remote-port = 500
remote-id = client1.strongswan.org
initiator-spi = b468934b8e969597
responder-spi = 82a8ab360d4c9caa
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
prf-alg = PRF_AES128_XCBC
dh-group = CURVE_25519
established = 2856
reauth-time = 82626
remote-vips = [
10.3.1.2
]
child-sas {
net-net-2 {
name = net-net
uniqueid = 2
reqid = 2
state = INSTALLED
mode = TUNNEL
protocol = ESP
spi-in = c760bd11
spi-out = cf56579a
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
bytes-in = 728
packets-in = 0
bytes-out = 0
packets-out = 0
rekey-time = 82521
life-time = 83544
install-time = 2856
local-ts = [
192.168.124.0/24
]
remote-ts = [
10.3.1.2/32
]
}
}
}
}
list-sa event {
net-net {
uniqueid = 1
version = 2
state = ESTABLISHED
local-host = 10.10.1.2
local-port = 500
local-id = server.strongswan.org
remote-host = 10.200.200.100
remote-port = 500
remote-id = client.strongswan.org
initiator-spi = f352c9ca2126bd32
responder-spi = 7b1ce21f8a2dd4dd
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
prf-alg = PRF_AES128_XCBC
dh-group = CURVE_25519
established = 2932
reauth-time = 82849
remote-vips = [
10.3.1.1
]
child-sas {
net-net-1 {
name = net-net
uniqueid = 1
reqid = 1
state = INSTALLED
mode = TUNNEL
protocol = ESP
spi-in = c78fa4b9
spi-out = c3c40549
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
bytes-in = 728
packets-in = 0
bytes-out = 0
packets-out = 0
rekey-time = 82456
life-time = 83468
install-time = 2932
local-ts = [
192.168.124.0/24
]
remote-ts = [
10.3.1.1/32
]
}
}
}
}
list-sas reply {
}
==============================================================================Initiate
command
1. NOT WORKING
swanctl --initiate --child net-net-1 --ike net-net
initiate failed: CHILD_SA config 'net-net-1' not found
2. NOT WORKING
swanctl --initiate --child net-net-2 --ike net-net
initiate failed: CHILD_SA config 'net-net-2' not found
[root@43ee2894ac18 /]#
3. WORKING for first entry
[root@43ee2894ac18 /]# swanctl --initiate --child net-net --ike net-net
initiate completed successfully
=======================================================================ipsec.conf
config setup
strictcrlpolicy=no
conn %default
#ike=aes256-sha1-modp2048!
#esp=aes192-sha1-esn!
mobike=no
keyexchange=ikev2
ikelifetime=24h
lifetime=24h
conn net-net
left=10.10.1.2
leftsubnet=192.168.124.0/24
leftauth=pubkey
[email protected]
leftcert=serverCert.pem
right=%any
rightauth=eap-expanded
rightid=%any
rightsendcert=never
rightsourceip=10.3.1.0/24
auto=add
