Hello,
SetupI have one IKE Responder and two IKE initiators (with different
identities) which are able to establish IKE SA with the responder
successfully.VersionstrongSwan 5.7.2dr2 swanctl
IssueI want to establish additional CHILD_SA for each of these IKE-SA
initiators from ResponderHowever, both initiators IKE entries at IKE responder
are assigned same connection name "net-net". In my ipsec.conf settings,
connection name is given as "net-net". My problem is that when I initiate
CHILD_SA using swanctl --initiate command, then I cannot identify separate
IKE-SAs as both are assigned same name by Charon daemon.I understand it takes
names from the configuration and creates a new IKE SA or CHILD SA with the name
mentioned in the config.
Please find output of command and ipsec.conf in the attached file.
Queries1. How to configure Responder so that we can have each IKE SA entry as a
separate connection?My main aim is to create additional CHILD SAs for each IKE
SA.
Warm Regards,Pankaj
swanctl --list-sas --pretty --raw
list-sa event {
net-net {
uniqueid = 2
version = 2
state = ESTABLISHED
local-host = 10.10.1.2
local-port = 500
local-id = server.strongswan.org
remote-host = 10.200.200.110
remote-port = 500
remote-id = client1.strongswan.org
initiator-spi = b468934b8e969597
responder-spi = 82a8ab360d4c9caa
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
prf-alg = PRF_AES128_XCBC
dh-group = CURVE_25519
established = 2856
reauth-time = 82626
remote-vips = [
10.3.1.2
]
child-sas {
net-net-2 {
name = net-net
uniqueid = 2
reqid = 2
state = INSTALLED
mode = TUNNEL
protocol = ESP
spi-in = c760bd11
spi-out = cf56579a
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
bytes-in = 728
packets-in = 0
bytes-out = 0
packets-out = 0
rekey-time = 82521
life-time = 83544
install-time = 2856
local-ts = [
192.168.124.0/24
]
remote-ts = [
10.3.1.2/32
]
}
}
}
}
list-sa event {
net-net {
uniqueid = 1
version = 2
state = ESTABLISHED
local-host = 10.10.1.2
local-port = 500
local-id = server.strongswan.org
remote-host = 10.200.200.100
remote-port = 500
remote-id = client.strongswan.org
initiator-spi = f352c9ca2126bd32
responder-spi = 7b1ce21f8a2dd4dd
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
prf-alg = PRF_AES128_XCBC
dh-group = CURVE_25519
established = 2932
reauth-time = 82849
remote-vips = [
10.3.1.1
]
child-sas {
net-net-1 {
name = net-net
uniqueid = 1
reqid = 1
state = INSTALLED
mode = TUNNEL
protocol = ESP
spi-in = c78fa4b9
spi-out = c3c40549
encr-alg = AES_CBC
encr-keysize = 128
integ-alg = HMAC_SHA2_256_128
bytes-in = 728
packets-in = 0
bytes-out = 0
packets-out = 0
rekey-time = 82456
life-time = 83468
install-time = 2932
local-ts = [
192.168.124.0/24
]
remote-ts = [
10.3.1.1/32
]
}
}
}
}
list-sas reply {
}
==============================================================================Initiate
command
1. NOT WORKING
swanctl --initiate --child net-net-1 --ike net-net
initiate failed: CHILD_SA config 'net-net-1' not found
2. NOT WORKING
swanctl --initiate --child net-net-2 --ike net-net
initiate failed: CHILD_SA config 'net-net-2' not found
[root@43ee2894ac18 /]#
3. WORKING
[root@43ee2894ac18 /]# swanctl --initiate --child net-net --ike net-net
initiate completed successfully
=======================================================================ipsec.conf
config setup
strictcrlpolicy=no
conn %default
#ike=aes256-sha1-modp2048!
#esp=aes192-sha1-esn!
mobike=no
keyexchange=ikev2
ikelifetime=24h
lifetime=24h
conn net-net
left=10.10.1.2
leftsubnet=192.168.124.0/24
leftauth=pubkey
[email protected]
leftcert=serverCert.pem
right=%any
rightauth=eap-expanded
rightid=%any
rightsendcert=never
rightsourceip=10.3.1.0/24
auto=add
