Project

General

Profile

Issue #2386

support of concurrent IKEv2 procedure.

Added by Jeonghoon Lee about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
libcharon
Affected version:
5.5.3
Resolution:
No change required

Description

It seems strongSwan makes SA negotiation in serial order when there are multiple ipsec connection tries.

Does strongSwan support concurrent SA negotiations(IKEv2) to same server?
(I mean multiple(2~3) IKEv2 procedures on same time.)

If it's possible is there a configuration? Which version supports it?

Thanks.

History

#1 Updated by Andreas Steffen about 5 years ago

  • Status changed from New to Feedback

strongSwan does not support concurrent multiple negotiations with the same endpoint, .i.e. the SET_WINDOW_SIZE parameter is restricted to a value of 1.

Andreas

#2 Updated by Jeonghoon Lee about 5 years ago

Do you mean concurrent multiple negotiations are possible with the different endpoint?

At my test, it seems that concurrent multiple negotiations(same endpoint) are possible with stroke up-nb command.
Could you check below log?

50706 07-24 09:22:09.577 5012 5027 I /system/bin/charon: 14[CFG] [on_accept() 692] stroke message type: 0
50707 07-24 09:22:09.577 5012 5027 I /system/bin/charon: 14[CFG] [stroke_initiate() 256] received stroke: initiate 'test_1'
50708 07-24 09:22:09.578 5012 5027 I /system/bin/charon: 14[IKE] [task_manager_v2_create() 1837] Number of times to retransmit a packet before giving up: 4
50709 07-24 09:22:09.578 5012 5027 I /system/bin/charon: 14[IKE] [task_manager_v2_create() 1843] Timeout in seconds before sending first retransmit: 1.000000
50710 07-24 09:22:09.578 5012 5027 I /system/bin/charon: 14[IKE] [task_manager_v2_create() 1849] Base to use for calculating exponential back off: 2.000000
50711 07-24 09:22:09.579 5012 5027 I /system/bin/charon: 14[IKE] [ike_sa_create() 2901] NAT keepalive timer change to 50
50712 07-24 09:22:09.579 5012 5027 I /system/bin/charon: 14[IKE] initiating IKE_SA test_113 to 141.207.181.232
50713 07-24 09:22:09.579 5012 5027 I /system/bin/charon: 14[IKE] initiating IKE_SA test_113 to 141.207.181.232
50714 07-24 09:22:09.589 5012 5027 I /system/bin/charon: 14[ENC] [generate() 1536] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
50715 07-24 09:22:09.591 5012 5027 I /system/bin/charon: 14[NET] [send_() 101] sending packet: from 192.168.0.19332012 to 141.207.181.232500 (372 bytes)
50716 07-24 09:22:10.211 5012 5028 I /system/bin/charon: 15[CFG] [on_accept() 692] stroke message type: 0
50717 07-24 09:22:10.211 5012 5028 I /system/bin/charon: 15[CFG] [stroke_initiate() 256] received stroke: initiate 'test_2'
50718 07-24 09:22:10.212 5012 5028 I /system/bin/charon: 15[IKE] [task_manager_v2_create() 1837] Number of times to retransmit a packet before giving up: 4
50719 07-24 09:22:10.212 5012 5028 I /system/bin/charon: 15[IKE] [task_manager_v2_create() 1843] Timeout in seconds before sending first retransmit: 1.000000
50720 07-24 09:22:10.212 5012 5028 I /system/bin/charon: 15[IKE] [task_manager_v2_create() 1849] Base to use for calculating exponential back off: 2.000000
50721 07-24 09:22:10.212 5012 5028 I /system/bin/charon: 15[IKE] [ike_sa_create() 2901] NAT keepalive timer change to 50
50722 07-24 09:22:10.213 5012 5028 I /system/bin/charon: 15[IKE] initiating IKE_SA test_214 to 141.207.131.232
50723 07-24 09:22:10.213 5012 5028 I /system/bin/charon: 15[IKE] initiating IKE_SA test_214 to 141.207.131.232
50724 07-24 09:22:10.223 5012 5028 I /system/bin/charon: 15[ENC] [generate() 1536] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
50725 07-24 09:22:10.225 5012 5028 I /system/bin/charon: 15[NET] [send_() 101] sending packet: from 192.168.43.11032012 to 141.207.131.232500 (372 bytes)
50726 07-24 09:22:10.228 5012 5025 I /system/bin/charon: 12[NET] [execute() 73] received packet: from 141.207.181.232500 to 192.168.0.19332012 (288 bytes)
50727 07-24 09:22:10.229 5012 5025 I /system/bin/charon: 12[ENC] [parse_body() 2088] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
50728 07-24 09:22:10.230 5012 5025 I /system/bin/charon: 12[KEY] [select_proposal() 343] selected proposal: IKE:AES-CBC [RFC3602]_256/HMAC-SHA-1-96 [RFC2404]/PRF_HMAC_SHA1/MODP_1024
50729 07-24 09:22:10.241 5012 5025 I /system/bin/charon: 12[KEY] [derive_ike_keys() 345] SPI_i => 8 bytes 0x0000007f9bc1c0d8
50730 07-24 09:22:10.241 5012 5025 I /system/bin/charon: 12[KEY] 0: E4 73 89 74 65 B8 D6 08 .s.te...
50731 07-24 09:22:10.242 5012 5025 I /system/bin/charon: 12[KEY] [derive_ike_keys() 346] SPI_r => 8 bytes
0x0000007f9bc1c0d0
50732 07-24 09:22:10.242 5012 5025 I /system/bin/charon: 12[KEY] 0: 5E F1 94 86 D8 63 80 E0 ^....c..
50733 07-24 09:22:10.242 5012 5025 I /system/bin/charon: 12[KEY] [derive_ike_keys() 386] SKEYSEED => 20 bytes 0x0000007f9c6fe960
50734 07-24 09:22:10.243 5012 5025 I /system/bin/charon: 12[KEY] 0: F4 59 28 86 92 C8 25 4A 3C B9 FD 89 AF EC 76 69 .Y(...%J<.....vi
50735 07-24 09:22:10.243 5012 5025 I /system/bin/charon: 12[KEY] 16: A7 49 DE 4E .I.N
50736 07-24 09:22:10.243 5012 5025 I /system/bin/charon: 12[KEY] [derive_ike_traditional() 212] Sk_ai secret => 20 bytes
0x0000007f9c6fec00
50737 07-24 09:22:10.243 5012 5025 I /system/bin/charon: 12[KEY] 0: 26 0F 08 4E 80 3A 77 3E 82 97 9F 06 29 41 90 81 &..N.:w>....)A..
50738 07-24 09:22:10.244 5012 5025 I /system/bin/charon: 12[KEY] 16: DA 15 2B 4D ..+M
50739 07-24 09:22:10.244 5012 5025 I /system/bin/charon: 12[KEY] [derive_ike_traditional() 225] Sk_ar secret => 20 bytes 0x0000007f9c6fec00
50740 07-24 09:22:10.245 5012 5025 I /system/bin/charon: 12[KEY] 0: DB A3 89 C3 59 E3 D3 D3 CE B0 0E C4 E0 16 9F BC ....Y...........
50741 07-24 09:22:10.246 5012 5025 I /system/bin/charon: 12[KEY] 16: 9D 88 FB E2 ....
50742 07-24 09:22:10.246 5012 5025 I /system/bin/charon: 12[KEY] [derive_ike_traditional() 241] Sk_ei secret => 32 bytes
0x0000007f9c6fec00
50743 07-24 09:22:10.246 5012 5025 I /system/bin/charon: 12[KEY] 0: 01 7F 98 11 A9 15 6F 5F A2 05 A6 1E 89 FD E7 7B ......o_.......{
50744 07-24 09:22:10.247 5012 5025 I /system/bin/charon: 12[KEY] 16: 3B E9 35 2B 37 3B 19 06 18 1A 28 7F E3 11 91 C4 ;.5+7;....(.....
50745 07-24 09:22:10.247 5012 5025 I /system/bin/charon: 12[KEY] [derive_ike_traditional() 254] Sk_er secret => 32 bytes 0x0000007f9c6fec00
50746 07-24 09:22:10.247 5012 5025 I /system/bin/charon: 12[KEY] 0: 5C 20 4A C0 A6 D0 6C 71 78 1E 50 B3 AA C4 8D 32 \ J...lqx.P....2
50747 07-24 09:22:10.247 5012 5025 I /system/bin/charon: 12[KEY] 16: 44 BA 22 2C E1 FA 92 34 A9 2A 30 8A 61 C0 F8 C9 D.",...4.*0.a...
50748 07-24 09:22:10.248 5012 5025 I /system/bin/charon: 12[IKE] [set_condition() 612] local host is behind NAT, sending keep alives
50749 07-24 09:22:10.248 5012 5025 I /system/bin/charon: 12[IKE] [send_keepalive() 542] NATT keepalive through charon is enabled, interval:50
50750 07-24 09:22:10.249 5012 5025 I /system/bin/charon: 12[CFG] [build_certreqs() 441] ** skip certificate request **************
50751 07-24 09:22:10.249 5012 5025 I /system/bin/charon: 12[IKE] [build_i() 575] building INTERNAL_IP4_DNS attribute
50752 07-24 09:22:10.249 5012 5025 I /system/bin/charon: 12[IKE] [build_i() 575] building INTERNAL_IP6_DNS attribute
50753 07-24 09:22:10.250 5012 5025 I /system/bin/charon: 12[IKE] [build_pcscf() 163] building (16389) attribute
50754 07-24 09:22:10.250 5012 5025 I /system/bin/charon: 12[IKE] [build_pcscf() 163] building (16390) attribute
50755 07-24 09:22:10.250 5012 5025 I /system/bin/charon: 12[IKE] establishing CHILD_SA test_1
50756 07-24 09:22:10.251 5012 5025 I /system/bin/charon: 12[IKE] establishing CHILD_SA test_1
50757 07-24 09:22:10.252 5012 5025 I /system/bin/charon: 12[ENC] [generate() 1536] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR ADDR6 DNS DNS6 (16389) (16390)) SA TSi TSr N(EAP_ONLY) ]
50758 07-24 09:22:10.255 5012 5025 I /system/bin/charon: 12[NET] [send_() 101] sending packet: from 192.168.0.193[32014] to 141.207.181.232[4500] (428 bytes)
50760 07-24 09:22:10.744 5012 5019 I /system/bin/charon: 06[NET] [execute() 73] received packet: from 141.207.131.232[500] to 192.168.0.193[32012] (288 bytes)
50761 07-24 09:22:10.751 5012 5019 I /system/bin/charon: 06[ENC] [parse_body() 2088] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
50762 07-24 09:22:10.753 5012 5019 I /system/bin/charon: 06[KEY] [select_proposal() 343] selected proposal: IKE:AES-CBC [RFC3602]_256/HMAC-SHA-1-96 [RFC2404]/PRF_HMAC_SHA1/MODP_1024
50763 07-24 09:22:10.806 5012 5019 I /system/bin/charon: 06[KEY] [derive_ike_keys() 345] SPI_i => 8 bytes
0x0000007f9c20a0d8
50764 07-24 09:22:10.806 5012 5019 I /system/bin/charon: 06[KEY] 0: 54 18 B9 89 77 90 05 DE T...w...
50765 07-24 09:22:10.807 5012 5019 I /system/bin/charon: 06[KEY] [derive_ike_keys() 346] SPI_r => 8 bytes 0x0000007f9c20a0d0
50766 07-24 09:22:10.807 5012 5019 I /system/bin/charon: 06[KEY] 0: B4 07 E5 32 D2 15 2E F5 ...2....
50767 07-24 09:22:10.807 5012 5019 I /system/bin/charon: 06[KEY] [derive_ike_keys() 386] SKEYSEED => 20 bytes
0x0000007f9b0b9be0
50768 07-24 09:22:10.808 5012 5019 I /system/bin/charon: 06[KEY] 0: 5B 0A 63 08 73 E2 14 E1 94 CE 62 B6 CB 58 C1 00 [.c.s.....b..X..
50769 07-24 09:22:10.808 5012 5019 I /system/bin/charon: 06[KEY] 16: AD 33 62 6C .3bl
50770 07-24 09:22:10.808 5012 5019 I /system/bin/charon: 06[KEY] [derive_ike_traditional() 212] Sk_ai secret => 20 bytes 0x0000007f9b0b9ca0
50771 07-24 09:22:10.809 5012 5019 I /system/bin/charon: 06[KEY] 0: F9 CF 71 16 92 4F 01 0D E6 E7 37 80 DE 58 70 5D ..q..O....7..Xp]
50772 07-24 09:22:10.809 5012 5019 I /system/bin/charon: 06[KEY] 16: D6 59 58 70 .YXp
50773 07-24 09:22:10.809 5012 5019 I /system/bin/charon: 06[KEY] [derive_ike_traditional() 225] Sk_ar secret => 20 bytes
0x0000007f9b0b9ca0
50774 07-24 09:22:10.809 5012 5019 I /system/bin/charon: 06[KEY] 0: 50 15 B5 30 18 63 BE A7 72 7C 86 02 A6 67 9D A5 P..0.c..r|...g..
50775 07-24 09:22:10.810 5012 5019 I /system/bin/charon: 06[KEY] 16: 21 6A B0 C5 !j..
50776 07-24 09:22:10.810 5012 5019 I /system/bin/charon: 06[KEY] [derive_ike_traditional() 241] Sk_ei secret => 32 bytes 0x0000007f9b0b9ca0
50777 07-24 09:22:10.810 5012 5019 I /system/bin/charon: 06[KEY] 0: CF 76 66 15 10 2E D4 9D 76 3A 31 92 35 29 42 44 .vf.....v:1.5)BD
50778 07-24 09:22:10.810 5012 5019 I /system/bin/charon: 06[KEY] 16: BD 40 8F 1A 44 AD BB 4E B9 A6 82 04 A4 D3 84 AE .
..D..N........
50779 07-24 09:22:10.811 5012 5019 I /system/bin/charon: 06[KEY] [derive_ike_traditional() 254] Sk_er secret => 32 bytes 0x0000007f9b0b9ca0
50780 07-24 09:22:10.811 5012 5019 I /system/bin/charon: 06[KEY] 0: 4B 81 D9 95 23 17 A6 2A 84 FA 4E A2 C9 18 39 D7 K...#..*..N...9.
50781 07-24 09:22:10.811 5012 5019 I /system/bin/charon: 06[KEY] 16: EB 1D 40 61 51 38 49 F4 D7 FB 26 32 EA 8F 4E FB ..@aQ8I...&2..N.
50782 07-24 09:22:10.812 5012 5019 I /system/bin/charon: 06[IKE] [set_condition() 612] local host is behind NAT, sending keep alives
50783 07-24 09:22:10.812 5012 5019 I /system/bin/charon: 06[IKE] [send_keepalive() 542] NATT keepalive through charon is enabled, interval:50
50784 07-24 09:22:10.812 5012 5019 I /system/bin/charon: 06[CFG] [build_certreqs() 441] ** skip certificate request **************
50785 07-24 09:22:10.813 5012 5019 I /system/bin/charon: 06[IKE] [build_i() 575] building INTERNAL_IP4_DNS attribute
50786 07-24 09:22:10.813 5012 5019 I /system/bin/charon: 06[IKE] [build_i() 575] building INTERNAL_IP6_DNS attribute
50787 07-24 09:22:10.813 5012 5019 I /system/bin/charon: 06[IKE] [build_pcscf() 163] building (16389) attribute
50788 07-24 09:22:10.814 5012 5019 I /system/bin/charon: 06[IKE] [build_pcscf() 163] building (16390) attribute
50789 07-24 09:22:10.814 5012 5019 I /system/bin/charon: 06[IKE] establishing CHILD_SA test_2
50790 07-24 09:22:10.814 5012 5019 I /system/bin/charon: 06[IKE] establishing CHILD_SA test_2
50791 07-24 09:22:10.815 5012 5019 I /system/bin/charon: 06[ENC] [generate() 1536] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR ADDR6 DNS DNS6 (16389) (16390)) SA TSi TSr N(EAP_ONLY) ]
50792 07-24 09:22:10.818 5012 5019 I /system/bin/charon: 06[NET] [send_() 101] sending packet: from 192.168.0.193[32014] to 141.207.131.232[4500] (428 bytes)
50793 07-24 09:22:10.844 5012 5021 I /system/bin/charon: 08[NET] [execute() 73] received packet: from 141.207.181.232[4500] to 192.168.0.193[32014] (172 bytes)
50794 07-24 09:22:10.846 5012 5021 I /system/bin/charon: 08[ENC] [parse_body() 2088] parsed IKE_AUTH response 1 [ N((41101)) IDr EAP/REQ/AKA ]
50806 07-24 09:22:10.849 5012 5021 I /system/bin/charon: 08[IKE] [client_process_eap() 395] server requested EAP_AKA authentication (id 0x02)
50807 07-24 09:22:10.849 5012 5021 I /system/bin/charon: 08[KEY] [eap_aka_peer_create() 694] ID: => 72 bytes
0x0000007f9c765730
50814 07-24 09:22:10.851 5012 5021 I /system/bin/charon: 08[LIB] [simaka_attribute_skippable() 146] ignoring skippable EAP-SIM/AKA attribute (139)
50865 07-24 09:22:11.343 5012 5021 I /system/bin/charon: 08[IKE] [process_i() 1095] allow mutual EAP-only authentication
50866 07-24 09:22:11.344 5012 5021 I /system/bin/charon: 08[ENC] [generate() 1536] generating IKE_AUTH request 2 [ EAP/RES/AKA ]
50867 07-24 09:22:11.345 5012 5021 I /system/bin/charon: 08[NET] [send_() 101] sending packet: from 192.168.0.19332014 to 141.207.181.2324500 (108 bytes)
50868 07-24 09:22:11.350 5012 5023 I /system/bin/charon: 10[NET] [execute() 73] received packet: from 141.207.131.2324500 to 192.168.0.19332014 (172 bytes)
50869 07-24 09:22:11.351 5012 5023 I /system/bin/charon: 10[ENC] [parse_body() 2088] parsed IKE_AUTH response 1 [ N((41101)) IDr EAP/REQ/AKA ]
50889 07-24 09:22:11.353 5012 5023 I /system/bin/charon: 10[IKE] [client_process_eap() 395] server requested EAP_AKA authentication (id 0x02)
50891 07-24 09:22:11.354 5012 5023 I /system/bin/charon: 10[KEY] [eap_aka_peer_create() 694] ID: => 72 bytes 0x0000007f9c765140
50898 07-24 09:22:11.358 5012 5023 I /system/bin/charon: 10[LIB] [simaka_attribute_skippable() 146] ignoring skippable EAP-SIM/AKA attribute (139)
50948 07-24 09:22:11.490 5012 5023 I /system/bin/charon: 10[IKE] [process_i() 1095] allow mutual EAP-only authentication
50949 07-24 09:22:11.498 5012 5023 I /system/bin/charon: 10[ENC] [generate() 1536] generating IKE_AUTH request 2 [ EAP/RES/AKA ]
50950 07-24 09:22:11.503 5012 5023 I /system/bin/charon: 10[NET] [send_() 101] sending packet: from 192.168.0.193[32014] to 141.207.131.232[4500] (76 bytes)
50954 07-24 09:22:11.971 5012 5026 I /system/bin/charon: 13[NET] [execute() 73] received packet: from 141.207.181.232[4500] to 192.168.0.193[32014] (76 bytes)
50955 07-24 09:22:11.973 5012 5027 I /system/bin/charon: 14[NET] [execute() 73] received packet: from 141.207.131.232[4500] to 192.168.0.193[32014] (92 bytes)
50956 07-24 09:22:11.975 5012 5026 I /system/bin/charon: 13[ENC] [parse_body() 2088] parsed IKE_AUTH response 2 [ EAP/SUCC ]
50957 07-24 09:22:11.976 5012 5027 I /system/bin/charon: 14[ENC] [parse_body() 2088] parsed IKE_AUTH response 2 [ EAP/FAIL N(AUTH_FAILED) ]
50958 07-24 09:22:11.978 5012 5026 I /system/bin/charon: 13[IKE] [process_client() 641] EAP method EAP_AKA succeeded, MSK established
50960 07-24 09:22:11.980 5012 5026 I /system/bin/charon: 13[ENC] [generate() 1536] generating IKE_AUTH request 3 [ AUTH ]
50961 07-24 09:22:11.983 5012 5026 I /system/bin/charon: 13[NET] [send_() 101] sending packet: from 192.168.0.193[32014] to 141.207.181.232[4500] (92 bytes)
50962 07-24 09:22:11.985 5012 5027 I /system/bin/charon: 14[IKE] [parse_message() 1154] receive error notify: AUTHENTICATION_FAILED
50963 07-24 09:22:11.987 5012 5027 I /system/bin/charon: 14[IKE] [notify_error() 101] RX from charon - [ipsecerror=test_2,24]
51005 07-24 09:22:11.999 5012 5027 I /system/bin/charon: 14[IKE] [process_i() 985] received AUTHENTICATION_FAILED notify error
51009 07-24 09:22:12.790 5012 5025 I /system/bin/charon: 12[NET] [execute() 73] received packet: from 141.207.181.232[4500] to 192.168.0.193[32014] (364 bytes)
51010 07-24 09:22:12.799 5012 5025 I /system/bin/charon: 12[ENC] [parse_body() 2088] parsed IKE_AUTH response 3 [ AUTH CPRP(ADDR6 DNS6 DNS6 (16390) (16390) (16390)) SA TSi TSr ]
51011 07-24 09:22:12.801 5012 5025 I /system/bin/charon: 12[IKE] [verify_auth() 483] authentication of '141.207.181.232' with EAP successful
51012 07-24 09:22:12.803 5012 5025 I /system/bin/charon: 12[IKE] [complies() 645] *** skip ID check OKOKOKOKOK ***
51014 07-24 09:22:12.807 5012 5025 I /system/bin/charon: 12[IKE] [process_i() 1123] IKE_SA test_1[13] established between 192.168.0.193[]...141.207.181.232[141.207.181.232]
51015 07-24 09:22:12.809 5012 5025 I /system/bin/charon: 12[IKE] [set_state() 770] scheduling rekeying in 85832s
51016 07-24 09:22:12.811 5012 5025 I /system/bin/charon: 12[IKE] [set_state() 801] maximum IKE_SA lifetime 89432s
51017 07-24 09:22:12.812 5012 5025 I /system/bin/charon: 12[IKE] [process_payloads() 503] processing INTERNAL_IP6_ADDRESS attribute
51018 07-24 09:22:12.813 5012 5025 I /system/bin/charon: 12[IKE] [process_payloads() 503] processing INTERNAL_IP6_DNS attribute
51019 07-24 09:22:12.816 5012 5025 I /system/bin/charon: 12[IKE] [process_payloads() 503] processing INTERNAL_IP6_DNS attribute
51020 07-24 09:22:12.818 5012 5025 I /system/bin/charon: 12[IKE] [process_payloads() 503] processing (16390) attribute
51021 07-24 09:22:12.819 5012 5025 I /system/bin/charon: 12[IKE] [process_attribute() 455] ==================need patch addr.len: 17
51022 07-24 09:22:12.820 5012 5025 I /system/bin/charon: 12[IKE] [process_payloads() 503] processing (16390) attribute
51023 07-24 09:22:12.822 5012 5025 I /system/bin/charon: 12[IKE] [process_attribute() 455] ==================need patch addr.len: 17
51024 07-24 09:22:12.823 5012 5025 I /system/bin/charon: 12[IKE] [process_payloads() 503] processing (16390) attribute
51025 07-24 09:22:12.825 5012 5025 I /system/bin/charon: 12[IKE] [process_attribute() 455] ==================need patch addr.len: 17
51049 07-24 09:22:12.846 5012 5015 I /system/bin/charon: 02[KNL] [process_addr() 954] Install vip successfully (2600:1016:8106:4ed0:0:1b:be0a:6e01 on mynet0)
51050 07-24 09:22:12.849 5012 5025 I /system/bin/charon: 12[KNL] [add_ip() 1828] virtual IP 2600:1016:8106:4ed0:0:1b:be0a:6e01 installed on mynet0
51051 07-24 09:22:12.851 5012 5025 I /system/bin/charon: 12[IKE] [select_and_install() 530] my ts : 2600:1016:8106:4ed0:0:1b:be0a:6e01/128
51052 07-24 09:22:12.852 5012 5025 I /system/bin/charon: 12[IKE] [select_and_install() 540] INSIDE enumerator1
51053 07-24 09:22:12.853 5012 5025 I /system/bin/charon: 12[IKE] [select_and_install() 542] FORCE set_ts_ipv6_range_64 IPV6
51054 07-24 09:22:12.855 5012 5025 I /system/bin/charon: 12[IKE] [select_and_install() 544] set_ts_ipv6_range_64 2600:1016:8106:4ed0::/64
51055 07-24 09:22:12.855 5012 5025 I /system/bin/charon: 12[IKE] [select_and_install() 548] [LGSI_DATA]my ts After set_ts_ipv6_range_64 : 2600:1016:8106:4ed0::/64
51056 07-24 09:22:12.856 5012 5025 I /system/bin/charon: 12[KEY] [install() 672] adding inbound ESP SA
51057 07-24 09:22:12.856 5012 5025 I /system/bin/charon: 12[KEY] [install() 676] SPI 0xc8fc064d, src 141.207.181.232 dst 192.168.0.193
51058 07-24 09:22:12.856 5012 5025 I /system/bin/charon: 12[IKE] [install() 716] origin inbound policy: ::/0 === 2600:1016:8106:4ed0::/64
51059 07-24 09:22:12.857 5012 5025 I /system/bin/charon: 12[IKE] [install() 719] inbound policy: ::/0 === 2600:1016:8106:4ed0::/64
51060 07-24 09:22:12.857 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1230] adding SAD entry with SPI c8fc064d and reqid {13} (mark 0/0x00000000)
51061 07-24 09:22:12.858 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1341] using encryption algorithm AES-CBC [RFC3602] with key size 128
51062 07-24 09:22:12.858 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1357] using encryption key => 16 bytes
0x0000007f9c6847b0
51063 07-24 09:22:12.858 5012 5025 I /system/bin/charon: 12[KEY] 0: 75 A6 A8 D1 8D 37 E8 48 94 49 1B 93 57 84 88 AA u....7.H.I..W...
51064 07-24 09:22:12.858 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1373] using integrity algorithm HMAC-SHA-1-96 [RFC2404] with key size 160
51065 07-24 09:22:12.859 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1424] using integrity key => 20 bytes 0x0000007f9c7dc2c0
51066 07-24 09:22:12.859 5012 5025 I /system/bin/charon: 12[KEY] 0: 63 D8 ED 5E F0 40 36 C6 64 B5 C4 C6 DA 6B 05 E6 c..^.@6.d....k..
51067 07-24 09:22:12.859 5012 5025 I /system/bin/charon: 12[KEY] 16: 0B 07 44 F3 ..D.
51070 07-24 09:22:12.862 5012 5025 I /system/bin/charon: 12[KEY] [install() 672] adding outbound ESP SA
51071 07-24 09:22:12.863 5012 5025 I /system/bin/charon: 12[KEY] [install() 676] SPI 0x5c04863d, src 192.168.0.193 dst 141.207.181.232
51072 07-24 09:22:12.863 5012 5025 I /system/bin/charon: 12[IKE] [install() 726] origin outbound policy: 2600:1016:8106:4ed0::/64 === ::/0
51073 07-24 09:22:12.863 5012 5025 I /system/bin/charon: 12[IKE] [install() 729] outbound policy: 2600:1016:8106:4ed0::/64 === ::/0
51074 07-24 09:22:12.863 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1230] adding SAD entry with SPI 5c04863d and reqid {13} (mark 0/0x00000000)
51075 07-24 09:22:12.864 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1341] using encryption algorithm AES-CBC [RFC3602] with key size 128
51076 07-24 09:22:12.864 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1357] using encryption key => 16 bytes
0x0000007f9c684760
51077 07-24 09:22:12.865 5012 5025 I /system/bin/charon: 12[KEY] 0: 2B 68 06 B3 E3 A1 D9 5D 4F 66 FB CB 0C 6B F6 A4 +h.....]Of...k..
51078 07-24 09:22:12.865 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1373] using integrity algorithm HMAC-SHA-1-96 [RFC2404] with key size 160
51079 07-24 09:22:12.865 5012 5025 I /system/bin/charon: 12[KEY] [add_sa() 1424] using integrity key => 20 bytes @ 0x0000007f9c7dc160
51080 07-24 09:22:12.866 5012 5025 I /system/bin/charon: 12[KEY] 0: E8 F1 E0 D1 13 BF 46 3A 34 42 1A 2A 55 CF 67 FA ......F:4B.*U.g.
51081 07-24 09:22:12.866 5012 5025 I /system/bin/charon: 12[KEY] 16: B7 E2 38 2F ..8/
51084 07-24 09:22:12.868 5012 5025 I /system/bin/charon: 12[IKE] [add_policies() 857] add_policies: 2600:1016:8106:4ed0::/64 === ::/0 priority: 0
51093 07-24 09:22:12.872 5012 5025 I /system/bin/charon: 12[IKE] CHILD_SA test_1{13} established with SPIs c8fc064d_i 5c04863d_o and TS 2600:1016:8106:4ed0::/64 === ::/0
51094 07-24 09:22:12.872 5012 5025 I /system/bin/charon: 12[IKE] CHILD_SA test_1{13} established with SPIs c8fc064d_i 5c04863d_o and TS 2600:1016:8106:4ed0::/64 === ::/0
51126 07-24 09:22:12.921 5012 5025 I /system/bin/charon: 12[CHD] [child_updown() 895] ike_sa: COND_REAUTHENTICATING(0), COND_STALE(0)
55100 07-24 09:22:59.270 5012 5020 I /system/bin/charon: 07[IKE] [send_keepalive() 542] NATT keepalive through charon is enabled, interval:50

Thanks.

#3 Updated by Tobias Brunner about 5 years ago

  • Tracker changed from Feature to Issue
  • Priority changed from Urgent to Normal
  • Affected version set to 5.5.3

It seems strongSwan makes SA negotiation in serial order when there are multiple ipsec connection tries.

When did you observe this? Could you provide the steps to reproduce it? Or at least a log that shows this?

Andreas is referring to initiating multiple concurrent exchanges on a single IKEv2 SA, which is not supported. But initiating multiple SAs at the same time (even to the same peer) definitely is.

#4 Updated by Jeonghoon Lee about 5 years ago

Yes, I've checked concurrent IKEv2 negotiation for Multiple SA is possible.
Thanks.

[Test step]
1. add connection 'Test1'
2. 'ipsec stroke up-nb Test1'
3. add connection 'Test2'
4. 'ipsec stroke up-nb Test2'

07-24 21:44:33.362 8270 8280 I /system/bin/charon: 10[CFG] [stroke_add_conn() 204] received stroke: add connection 'Test1'
07-24 21:44:33.485 8270 8285 I /system/bin/charon: 15[CFG] [stroke_initiate() 256] received stroke: initiate 'Test1'
07-24 21:44:33.973 8270 8286 I /system/bin/charon: 16[CFG] [stroke_add_conn() 204] received stroke: add connection 'Test2'
07-24 21:44:34.083 8270 8275 I /system/bin/charon: 05[CFG] [stroke_initiate() 256] received stroke: initiate 'Test2'
07-24 21:44:33.496 8270 8285 I /system/bin/charon: 15[ENC] [generate() 1536] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
07-24 21:44:33.816 8270 8279 I /system/bin/charon: 09[ENC] [parse_body() 2088] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
07-24 21:44:33.832 8270 8279 I /system/bin/charon: 09[ENC] [generate() 1536] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ (16390)) SA TSi TSr N(EAP_ONLY) ]
07-24 21:44:34.089 8270 8275 I /system/bin/charon: 05[ENC] [generate() 1536] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
07-24 21:44:34.383 8270 8281 I /system/bin/charon: 11[ENC] [parse_body() 2088] parsed IKE_AUTH response 1 [ N((41101)) IDr EAP/REQ/AKA ]
07-24 21:44:34.390 8270 8277 I /system/bin/charon: 07[ENC] [parse_body() 2088] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
07-24 21:44:34.412 8270 8277 I /system/bin/charon: 07[ENC] [generate() 1536] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ (16390)) SA TSi TSr N(EAP_ONLY) ]
07-24 21:44:34.540 8270 8281 I /system/bin/charon: 11[ENC] [generate() 1536] generating IKE_AUTH request 2 [ EAP/RES/AKA ]
07-24 21:44:34.784 8270 8279 I /system/bin/charon: 09[ENC] [parse_body() 2088] parsed IKE_AUTH response 1 [ N((41101)) IDr EAP/REQ/AKA ]
07-24 21:44:34.932 8270 8279 I /system/bin/charon: 09[ENC] [generate() 1536] generating IKE_AUTH request 2 [ EAP/RES/AKA ]
07-24 21:44:34.936 8270 8276 I /system/bin/charon: 06[ENC] [parse_body() 2088] parsed IKE_AUTH response 2 [ EAP/SUCC ]
07-24 21:44:34.937 8270 8276 I /system/bin/charon: 06[ENC] [generate() 1536] generating IKE_AUTH request 3 [ AUTH ]
07-24 21:44:35.308 8270 8280 I /system/bin/charon: 10[ENC] [parse_body() 2088] parsed IKE_AUTH response 2 [ EAP/SUCC ]
07-24 21:44:35.311 8270 8280 I /system/bin/charon: 10[ENC] [generate() 1536] generating IKE_AUTH request 3 [ AUTH ]
07-24 21:44:35.453 8270 8286 I /system/bin/charon: 16[ENC] [parse_body() 2088] parsed IKE_AUTH response 3 [ AUTH CPRP SA TSi TSr ]
07-24 21:44:35.519 8270 8286 I /system/bin/charon: 16[IKE] CHILD_SA Test1{1} established with SPIs c0a29c39_i 8e017737_o and TS 10.151.159.150/32 2600:100c:900d:d79e::/64 === ::/0 0.0.0.0/0
07-24 21:44:35.854 8270 8285 I /system/bin/charon: 15[ENC] [parse_body() 2088] parsed IKE_AUTH response 3 [ AUTH CPRP (16390) (16390)) SA TSi TSr ]
07-24 21:44:35.866 8270 8285 I /system/bin/charon: 15[IKE] CHILD_SA Test2{2} established with SPIs ca429895_i 2b027837_o and TS 2600:100c:8022:3544::/64 === ::/0
[file upload is blocked at my office.]

Thanks.

#5 Updated by Tobias Brunner about 5 years ago

  • Category set to libcharon
  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF