Project

General

Profile

Issue #3419

strongswan initiator/client creates two IKE SAs with same peer

Added by Kumar Putta Swamy 6 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.6.3
Resolution:
No change required

Description

strongSwan version: strongSwan 5.6.3, Linux 3.10.105, armv7l
We have a stronSwan client that initiates the IPsec to headend device based on the incoming l2tp traffic.
L2TP client always tries to establish a L2tP tunnel and hence trigger for IPsec tunnel is constant.
The very first time when the client initiates the IPsec tunnel , it establishes one IKE and ESP tunnel.

But when ever we restart the IPsec termination service on the head end , we observe the client forms 2 IKE and ESP tunnel to the same peer.
We observe that client initiates its second connection despite the fact that first IKE and ESP session goes through.

Have attached the IPsec.conf and IPsec-client and IPsec-headend logs.
Request to please let us know if there is an existing defect or some parameter that we need to change in order to avoid the IPsec client forming the second IKE and ESP session.

Attached files:
Please note xxxx-represents client
x.x.x.x - represents headend IP to which the tunnel is being formed.

IPsec.conf
IPsec-session-details.log
IPsec-client.log
IPsec-headend.log

CLient and Headend logs indicating 2 IKE and ESP session.
CLient:
Apr 21 08:26:43 12[IKE] <headend_x.x.x.x:|2> IKE_SA headend_x.x.x.x:[2] established between 192.168.0.132[xxxx]...x.x.x.x[x.x.x.x]
Apr 21 08:26:44 03[IKE] <headend_x.x.x.x:|3> IKE_SA headend_x.x.x.x:[3] established between 192.168.0.132[xxxx]...x.x.x.x[x.x.x.x]

Headend:
2020-04-21T08:26:43.372605Z G79 ipsec.go:3780: IPsec connection with 98.234.168.187:4500 by "#xxxx" (SAID 1) established
2020-04-21T08:26:44.41487Z G79 ipsec.go:3780: IPsec connection with 98.234.168.187:4500 by "
#xxxx" (SAID 2) established

IPsec.conf dump:

conn %default
    version=2
    keyexchange=ikev2
    type=transport
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    rekey=yes
    reauth=no
    keyingtries=1
    authby=psk
    mobike=no
    fragmentation=no
    ike=aes256ctr-sha512-prfsha512-modp4096-curve25519!
    esp=aes256ctr-sha512-modp4096-curve25519-esn,aes256gcm16-modp4096-curve25519-esn!
    closeaction=restart
    dpdaction=restart
    dpddelay=90s
    leftid=@#xxxx
    leftauth=psk
    rightauth=psk
    auto=route
    leftsubnet=%dynamic[115]
    rightsubnet=%dynamic[115]
    left=%defaultroute

conn headend_x.x.x.x:
    rightid = x.x.x.x
    reqid = 1

IPsec.conf (661 Bytes) IPsec.conf Lists the IPsec conf on client side. Kumar Putta Swamy, 22.04.2020 00:21
IPsec-session-details.log (5.06 KB) IPsec-session-details.log Shows 2 IKE and ESP sessions from strongSwan client to same peer. Kumar Putta Swamy, 22.04.2020 00:21
IPsec-client.log (315 KB) IPsec-client.log logs for stronSwan client showing 2 Tunnels getting initiated and formed to headend Kumar Putta Swamy, 22.04.2020 00:22
IPsec-headend.log (49.9 KB) IPsec-headend.log IPsec headend log Kumar Putta Swamy, 22.04.2020 00:23

History

#1 Updated by Tobias Brunner 6 months ago

  • Description updated (diff)
  • Category changed from charon to configuration
  • Status changed from New to Feedback
  • Priority changed from High to Normal

That's because of your use of auto=route in combination with closeaction=restart (and potentially also dpdaction=restart).

#2 Updated by Kumar Putta Swamy 5 months ago

Thanks Tobias.
After we changed the settings to below , we do not see the issue of initiator creating two IKE SAs with same peer.
auto=route
closeaction=none
dpdaction=clear

#3 Updated by Tobias Brunner 5 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF